使用受信任的根证书颁发机构在HttpClient中进行服务器证书验证

Question

I have created a self-signed certificate using

openssl req -x509 -newkey rsa:2048 -keyout https-key.pem -out https.pem -days 365

then I created pkcs12 using (I have set the CN to my server's ip adress):

openssl pkcs12 -export -out https.pfx -inkey https-key.pem -in https.pem -password pass:123456

In my server a use the generated https.pfx file for https.

In my client I imported the generated certificate into the Windows' Trusted Root Certification Authorities (Current user and also local system).

When I send a HTTP request to the server from my client, I get

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A security error occurred
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Threading.Tasks.RendezvousAwaitable`1.GetResult()
   at System.Net.Http.WinHttpHandler.<StartRequest>d__105.MoveNext()
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task).

In chrome it says:

Attackers might be trying to steal your information from *** (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

Does .NET Core 2.0's HttpClient use Windows certificate stores? What could be causing the issue.

Answer 1

I would suggest you create a small test application that you can use as a client to test the TLS configuration of the server.

You can use the SslStream class in .NET to connect to a TLS endpoint and perform the negotiation. It can return a much more understandable error message than the random HRESULT codes and unhelpful error messages that come out of SChannel.

The test tool can be nothing more than a WinForms app that contains the following code:

public static void q48873455()
{
    const string hostname = "localhost";
    var tcpClient = new TcpClient();
    tcpClient.Connect(hostname, 443);
    var tcpStream = tcpClient.GetStream();

    using (var sslStream = new SslStream(tcpStream, false, ValidateServerCertificate))
    {
        sslStream.AuthenticateAsClient(hostname);
    }
}


static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
   if (sslPolicyErrors == SslPolicyErrors.None)
        return true;

    Console.WriteLine("Certificate error: {0}", sslPolicyErrors);

    return false;
}

This code established a raw TCP connection to port 443, then uses SslStream to perform a TLS negotiation. During that negotiation, the server will send its certificate, and SslStream will call the ValidateServerCertificate() method, passing the certificate that it received, and providing a value for SslPolicyErrors which indicates what SChannel thought of the certificate.

The SslPolicyErrors value is one of the values listed on MSDN which indicate why (if at all) SChannel thinks the certificate is not trusted.

I tend to find that having a tool such as this around is very helpful when trying to work out why a given certificate is not trusted.

Hope this helps