c# Https call to self signed endpoint timeout (curl works)

Question

We are running a C# application (.net Core 3.1) on ubuntu 18.04. The application does a http request to a self-signed https endpoint, but that request is canceled. I managed to reproduce it using the following snippet:

   class Program {
    static async Task Main(string[] args)
    {
        const string url = "https://my-endpoint.com/path/";
        const string basicAuth = "user:password";
        
        var httpClientHandler = new HttpClientHandler();
        httpClientHandler.ServerCertificateCustomValidationCallback =
            (message, cert, chain, sslPolicyErrors) => true;

        HttpClient httpClient = new HttpClient(httpClientHandler);            
        var authHeader = new AuthenticationHeaderValue("Basic",
            Convert.ToBase64String(Encoding.UTF8.GetBytes(basicAuth)));
        httpClient.DefaultRequestHeaders.Authorization = authHeader;
        httpClient.Timeout = TimeSpan.FromSeconds(60);

        Stopwatch watch = null;
        try
        {
            watch = Stopwatch.StartNew();
            var result = await httpClient.GetAsync(url);
            watch.Stop();
            Console.WriteLine($"Took {watch.ElapsedMilliseconds} milliseconds");
            Console.WriteLine(await result.Content.ReadAsStringAsync());
        }
        catch (Exception e)
        {
            watch?.Stop();
            Console.WriteLine($"Took {watch?.ElapsedMilliseconds} milliseconds");
            throw;
        }
        
    }
}

When I run this locally it succeeds but on the linux server it generates the following output:

Took 100239 milliseconds
Unhandled exception. System.Threading.Tasks.TaskCanceledException: The operation was canceled.
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at HTTPTest.Program.Main(String[] args) in C:\Users\nlfsmi\src\iotedge.kafkahttpbridgemodule\HTTPTest\Program.cs:line 31
   at HTTPTest.Program.<Main>(String[] args)
Aborted

Weird things I notice:

• The same request with curl works
• Timeout after 100s, while httpClient.Timeout is only 60s

Does anyone know what might be going on here? Could it still be a firewall issue, even though Curl succeeds?

Answer 1

It turned out to be a firewall issue, but a very pesky one.

• In our CA certificate there was a pki.ourdomain.org defined.
• The C# HTTP library called that URL at some point during the request (despite the ServerCertificateCustomValidationCallback returning true)
• Curl and python (requests) do not make this call so they dont timeout.
• Our firewall discarded the request to this pki domain, without any error or response.
• This caused the HTTP request to eventually timeout without any relevant error message.

When we found out this cause we added the pki.* url to the firewall rules. A more hacky solution without firewall changes is be to add pki.ourdomain.org to direct to localhost. This makes the pki request fail instantly, and the original request is executed normally.

I still dont fully understand why the C# library has this behaviour and other clients do not, but I hope this may help someone.