HTTPS Connection Issues

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Like most security protocols HTTPS can start failing for all sorts of reasons, but issues with upgraded security seems to be most common.

Context

  • For HTTPS to work the certificate (and key) used to sign the TLS (SSL) connection packets must match one of the certs in the cert:\localmachiroot folder. That means that the fingerprint (hash) of the root key must match the signing key.

Issues

Net Core Console Apps

Here are the steps:

  1. Create a Certificate Signing Request (CSR).
  2. Have the CSR signed by the server.
  3. Get the signed certificate.
  4. Include the signed certificate in the HTTP request.
  5. Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.

Troubleshooting steps in order (do not skip if a certain step is not successful):

  1. Test with HTTP
  2. Test with HTTPS (one-way authentication)
  3. Test with HTTPS (Mutual Authentication)

PowerShell Invoke-xxxMethod

$r = Invoke-RestMethod "https://trustregistry.us/csp" -Method Post -Body $j -ContentType "application/jose"
$r
The registry service https://localhost:5035/csp could not be found. Exception: The SSL connection could not be established, see inner exception.

or on AWS

$r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body $j -ContentType "application/jose"
Invoke-RestMethod : The underlying connection was closed: The connection was closed unexpectedly.
At line:1 char:6
+ $r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher.

  • Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>]

PowerShell Ignore SSL Errors

add-type @"
   using System.Net;
   using System.Security.Cryptography.X509Certificates;
   public class TrustAllCertsPolicy : ICertificatePolicy {
       public bool CheckValidationResult(
           ServicePoint srvPoint, X509Certificate certificate,
           WebRequest request, int certificateProblem) {
           return true;
       }
   }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$result = Invoke-WebRequest -Uri "https://trustregistry.us
StatusCode        : 200
StatusDescription : OK
Content           : <!DOCTYPE html>
                    <html lang="en">
                    <head>
                        <meta charset="utf-8" />
                        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
                        <title>Trust Registry Home - TrustRegistry</title>...
RawContent        : HTTP/1.1 200 OK
                    Transfer-Encoding: chunked
                    Content-Type: text/html; charset=utf-8
                    Date: Wed, 22 Sep 2021 03:17:41 GMT
                    Server: Kestrel

                    <!DOCTYPE html>
                    <html lang="en">
                    <head>
                        <meta charset="...
Forms             : {}
Headers           : {[Transfer-Encoding, chunked], [Content-Type, text/html; charset=utf-8], [Date, Wed, 22 Sep 2021
                    03:17:41 GMT], [Server, Kestrel]}
Images            : {@{innerHTML=; innerText=; outerHTML=<IMG class=img-responsive style="WIDTH: 90%" alt="TR is Trust
                    Registry" src="/images/TRBanner.png" height=120>; outerText=; tagName=IMG; class=img-responsive;
                    style=WIDTH: 90%; alt=TR is Trust Registry; src=/images/TRBanner.png; height=120}}
InputFields       : {}
Links             : {@{innerHTML=TrustRegistry; innerText=TrustRegistry; outerHTML=<A class=navbar-brand
                    href="/?page=%2FIndex">TrustRegistry</A>; outerText=TrustRegistry; tagName=A; class=navbar-brand;
                    href=/?page=%2FIndex}, @{innerHTML=Home; innerText=Home; outerHTML=<A class="nav-link text-dark"
                    href="/">Home</A>; outerText=Home; tagName=A; class=nav-link text-dark; href=/},
                    @{innerHTML=VICAL; innerText=VICAL; outerHTML=<A class="nav-link text-dark"
                    href="/Home/Certification">VICAL</A>; outerText=VICAL; tagName=A; class=nav-link text-dark;
                    href=/Home/Certification}, @{innerHTML=Resources; innerText=Resources; outerHTML=<A
                    class="nav-link text-dark" href="/Home/Resources">Resources</A>; outerText=Resources; tagName=A;
                    class=nav-link text-dark; href=/Home/Resources}...}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 6888

Set .NET to Ignore Certificate Errors

Add a certificate validation handler. Returning true will allow ignoring the validation error:

ServicePointManager
   .ServerCertificateValidationCallback += 
   (sender, cert, chain, sslPolicyErrors) => true;

This is even more useful than it may at first appear. I ran into the OP's problem while using Managed Exchanged Web Services (EWS). I thought that I could not use this answer since I didn't have access to the low-level SOAP calls that were being made by that managed library. But when I took another look at it, I realized ServicePointManager stands on its own. So,I added the above callback before initializing the ExchangeService and it worked like a charm. – Mark Meuer Apr 19 '12 at 21:50

or this way - Call this method before you call smtpclient.Send():

[Obsolete("Do not use this in Production code!!!",true)]
static void NEVER_EAT_POISON_Disable_CertificateValidation()
{
   // Disabling certificate validation can expose you to a man-in-the-middle attack
   // which may allow your encrypted message to be read by an attacker
   // https://stackoverflow.com/a/14907718/740639
   ServicePointManager.ServerCertificateValidationCallback =
       delegate (
           object s,
           X509Certificate certificate,
           X509Chain chain,
           SslPolicyErrors sslPolicyErrors
       ) {
           return true;
       };
}

References