The SSL connection could not be established

Question

I am using a third party library (Splunk C# SDK ) in my ASP.NET Core application. I am trying to connect to my localhost Splunk service via this SDK, but I get an exception saying:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

And the inner exception says:

The remote certificate is invalid according to the validation procedure.

This SDK uses HttpClient under the hood, but I don't have access to this object to configure HttpClientHandler.

All my search on Google ends up using ServicePointManager to bypass the SSL validation, but this solution doesn't work in ASP.NET Core.

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

Is there any way to bypass this validation in ASP.NET Core?

Answer 1

Windows 10 add Group Policy configuration for elliptical curves under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. The ECC Curve Order list specifies the order in which elliptical curves are preferred as well as enables supported curves which are not enabled.

Added support for the following elliptical curves:

 BrainpoolP256r1 (RFC 7027) in Windows 10, version 1507 and Windows Server 2016
 BrainpoolP384r1 (RFC 7027) in Windows 10, version 1507 and Windows Server 2016
 BrainpoolP512r1 (RFC 7027) in Windows 10, version 1507 and Windows Server 2016
 Curve25519 (RFC draft-ietf-tls-curve25519) in Windows 10, version 1607 and Windows Server 2016

Reboot machine and success

issues

path

Answer 2

I had to turn off my VPN to get rid off this error.

Answer 3

If you are adding an IHttpClient and injecting through DI, you can add the configuration on the Startup.cs class.

public void ConfigureServices(IServiceCollection services)
{
    services.AddHttpClient("yourServerName").ConfigurePrimaryHttpMessageHandler(_ => new HttpClientHandler
    {
        ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; }
    });
}

And then call it from your dependency injected class.

public class MyServiceClass 
{
    private readonly IHttpClientFactory _clientFactory;

    public MyServiceClass (IConfiguration configuration, IHttpClientFactory clientFactory)  
    {
        _clientFactory = clientFactory;
    } 

    public async Task<int> DoSomething()
    {
        var url = "yoururl.com";
        var client = _clientFactory.CreateClient("yourServerName");
        var result = await client.GetAsync(url);
    }
}

Answer 4

As I worked with the Identity Server (.NET Core) and a Web API (.NET Core) on my developer machine, I realized that I need to trust the SSL certification of localhost. That command does the job for me:

dotnet dev-certs https --trust

Answer 5

For those who are trying to inject IHttpClient to a controller for me the solution was using a named client.

Inside the Program.cs configure the named client:

builder.Services.AddHttpClient("YourNamedClient").ConfigureHttpMessageHandlerBuilder(builder =>
{
    builder.PrimaryHandler = new HttpClientHandler
    {
        ServerCertificateCustomValidationCallback = (m, c, ch, e) => true
    };
});

And inside the controller:

 public class YourController: ControllerBase
    {
        private readonly HttpClient _httpClient;

        public YourController(IHttpClientFactory factory)
        {
            _httpClient = factory.CreateClient("YourNamedClient");
        }

    }

Answer 6

If you working in dotnet core (.net core) API or application. Then go to program file or startup class where you are registering DI and register HttpClient along with HttpClientHandler

like below

builder.Services.AddHttpClient("").ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler

{ ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; } });

Answer 7

There is a more convenient method to set up a HttpClientHandler with AddHttpClient() method - ConfigurePrimaryHttpMessageHandler(). Reference - https://learn.microsoft.com/en-us/dotnet/core/extensions/httpclient-factory#configure-the-httpmessagehandler

Answer 8

This is most likely caused by having your proxy configured incorrectly.

Unfortunately some of the newer Windows workstations are coming with this setup wrong.

Check your system environment variables by running the following script in a Windows command prompt.

Ultimately if your proxy values are configured, but don't have any NO_PROXY settings you are going to encounter issues when trying to reach internal services.

Ultimately I recommend unsetting the HTTP_PROXY and HTTPS_PROXY variables unless you know what they do, and what you need them for.

Also important, check the value of no_proxy and compare it with your co worker to see if there is any differences, sometimes a dot "." can make a difference.

Answer 9

Installing the .NET Core SDK installs the ASP.NET Core HTTPS development certificate to the local user certificate store. The certificate has been installed, but it's not trusted. To trust the certificate, perform the one-time step to run the dotnet dev-certs tool:

dotnet dev-certs https --trust

for more information visit this link

Answer 10

Yes, you can Bypass the certificate using below code...

HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };

// Pass the handler to httpclient(from you are calling api)
HttpClient client = new HttpClient(clientHandler);

Answer 11

You get this error because your app isn't able to validate the certificate of the connection, and it's especially common to use this for the API that creates the session/login tokens. You can bypass it in a dangerous way as shown above, but obviously that's not a good solution unless you're just testing.

The best and easiest solution is to use the "modernhttpclient-updated" Nuget package, whose code is shared in this GitHub repo where there's also a lot of documentation.

As soon as you add the Nuget package, pass in a NativeMessageHandler into you HttpClient() as shown and build: var httpClient = new HttpClient(new NativeMessageHandler());

Now you will notice that you got rid of that error and will get a different error message like this Certificate pinning failure: chain error. ---> Javax.Net.Ssl.SSLPeerUnverifiedException: Hostname abcdef.ghij.kl.mn not verified: certificate: sha256/9+L...C4Dw=

To get rid of this new error message, you have to do add the hostname and certificate key from the error to a Pin and add that to the TLSConfig of your NativeMessageHandler as shown:

var pin = new Pin();
pin.Hostname = "abcdef.ghij.kl.mn";
pin.PublicKeys = new string[] { "sha256/9+L...C4Dw=" };
var config = new TLSConfig();
config.Pins = new List<Pin>();
config.Pins.Add(pin);
httpClient = new HttpClient(new NativeMessageHandler(true, config)

Keep in mind that your other (non token generating) API calls may not implement certificate pinning so they may not need this, and frequently they may use a different Hostname. In that case you will need to register them as pins too, or just use a different HttpClient for them!

Answer 12

This worked for me,

Create a Splunk.Client.Context by providing custom HttpClientHandler, that will bypass SSL invalid cert errors.

HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };

// Create Context 
Context context = new Context(Scheme.Https, "localhost", 8089, default(TimeSpan), handler);

// Create Service
service = new Service(context);

Answer 13

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) =>
{
    // local dev, just approve all certs
    if (development) return true;
    return errors == SslPolicyErrors.None ;
};

This blog helped me

https://www.khalidabuhakmeh.com/validate-ssl-certificate-with-servicepointmanager