Security Error, post with Client Certificate (Self-signed Root) on Azure (Asp.net core)
Question
I have uploaded a client certificate to Azure and are trying to make a post to a api method with this certificate. My code works when I am debugging on my local computer but it fails when I run it on Azure as a App Service.
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A security error occurred at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable
1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.WinHttpHandler.<StartRequest>d__105.MoveNext() --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.HttpClient.d__58.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotificatio n(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Bandytabeller.Controllers.swishController.d__3.MoveNext() in D:\\ASP-hemsidor\\NetCoreApplications\\Bandytabeller\\Bandytabeller\\Api\\swishController.cs:line 102
[HttpGet("{id}")]
public async Task pay(string id = "", string amount = "")
{
// Get the user agent
string userAgent = Request.Headers["User-Agent"].ToString();
// Create the payment request
SwishPaymentRequest post = new SwishPaymentRequest();
post.payeePaymentReference = id.ToString();
post.callbackUrl = "https://www.quiz-walk.se/";
post.payeeAlias = "1231181189";
post.amount = amount;
post.currency = "SEK";
post.message = "Faktura " + id.ToString();
// Create the http content
HttpContent data = new StringContent(JsonConvert.SerializeObject(post), Encoding.UTF8, "application/json");
// Create variables
X509Store certStore = null;
HttpClientHandler handler = null;
HttpClient client = null;
string token = "";
try
{
// Create a request handler
handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
handler.AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip;
// Open certificate from certificate store
certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "800CDE7BC219D53812FC164DFF0FE73DF8A8D7B6", false);
if (certCollection.Count > 0)
{
handler.ClientCertificates.Add(certCollection[0]);
}
// Disable ssl validation
handler.ServerCertificateCustomValidationCallback += (message, xcert, chain, errors) => true;
//handler.ClientCertificates.Add(cert);
// Create the http client
client = new HttpClient(handler, false);
// Post the payment request
//Task task = Task.Run(() => client.PostAsync("https://mss.swicpc.bankgirot.se/swish-cpcapi/api/v1/paymentrequests/", data));
HttpResponseMessage task = await client.PostAsync("https://mss.swicpc.bankgirot.se/swish-cpcapi/api/v1/paymentrequests/", data);
// Wait for the task to finish
//task.Wait();
// Make sure that the response is successful
if (task.StatusCode == System.Net.HttpStatusCode.Created)
{
// Get all header values
IEnumerable headers = task.Headers.GetValues("PaymentRequestToken");
// Get the token
foreach (string value in headers)
{
token += value;
}
}
}
catch (Exception ex)
{
token += ex.ToString();
logger.LogWarning(ex.ToString());
}
finally
{
// Dispose of the handler and the client
if(certStore != null)
{
certStore.Dispose();
}
if (handler != null)
{
handler.Dispose();
}
if (client != null)
{
client.Dispose();
}
}
// Create the url
string url = "http://www.bokforingstips.se";
if (userAgent.Contains("Windows Phone") == true)
{
url = "swish://paymentrequest?token=" + token;
}
else if (userAgent.Contains("iPhone") == true || userAgent.Contains("iPad") == true)
{
url = "swish://paymentrequest?token=" + token;
}
else if (userAgent.Contains("Android") == true)
{
url = "intent://paymentrequest?token=" + token + "/#Intent;scheme=swish;package=se.bankgirot.swish;end;";
}
else
{
return Content(handler.ClientCertificates[0].Issuer + " " + token);
}
// Redirect the user to url
return Redirect(url);
} // End of the pay method
I am testing the Swish API and I use ServerCertificateCustomValidationCallback to do my on validation. I works on my local computer but not on Azure. The certificate is loaded, the error occurs on the PostAsync call.
Asp.Net Core 1.1.1
Tested with .Net Framework 4.6.2 on Azure. It does not work, have enabled system.net tracing.
`System.Net Information: 0 : [12712] SecureChannel#3644764 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12712] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [12712] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 6801dc65d0:db724b14d0, targetName = mss.swicpc.bankgirot.se, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12712] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=1638, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [12712] Socket#66404974::BeginSend()
System.Net.Sockets Verbose: 0 : [23872] Data from Socket#66404974::PostCompletion
System.Net.Sockets Verbose: 0 : [23872] (printing 1024 out of 1638)
System.Net.Sockets Verbose: 0 : [12712] Exiting Socket#66404974::BeginSend() -> OverlappedAsyncResult#29753716
System.Net.Sockets Verbose: 0 : [23872] 00000000 : 16 03 03 06 2E 0B 00 04-9C 00 04 99 00 04 96 30 : ...............0
System.Net.Sockets Verbose: 0 : [23872] 00000010 : 82 04 92 30 82 02 7A A0-03 02 01 02 02 08 1B 46 : ...0..z........F
System.Net.Sockets Verbose: 0 : [23872] 00000020 : F2 54 AE 99 F3 1C 30 0D-06 09 2A 86 48 86 F7 0D : .T....0...*.H...
System.Net.Sockets Verbose: 0 : [23872] 00000030 : 01 01 0B 05 00 30 73 31-0B 30 09 06 03 55 04 06 : .....0s1.0...U..
System.Net.Sockets Verbose: 0 : [23872] 00000040 : 13 02 53 45 31 1D 30 1B-06 03 55 04 0A 0C 14 54 : ..SE1.0...U....T
System.Net.Sockets Verbose: 0 : [23872] 00000050 : 65 73 74 62 61 6E 6B 20-32 20 41 42 20 28 70 75 : estbank 2 AB (pu
System.Net.Sockets Verbose: 0 : [23872] 00000060 : 62 6C 29 31 11 30 0F 06-03 55 04 05 13 08 54 45 : bl)1.0...U....TE
System.Net.Sockets Verbose: 0 : [23872] 00000070 : 53 54 53 45 54 32 31 32-30 30 06 03 55 04 03 0C : STSET21200..U...
System.Net.Sockets Verbose: 0 : [23872] 00000080 : 29 54 65 73 74 62 61 6E-6B 20 32 20 43 75 73 74 : )Testbank 2 Cust
System.Net.Sockets Verbose: 0 : [23872] 00000090 : 6F 6D 65 72 20 43 41 31-20 76 31 20 66 6F 72 20 : omer CA1 v1 for
System.Net.Sockets Verbose: 0 : [23872] 000000A0 : 53 77 69 73 68 20 54 65-73 74 30 1E 17 0D 31 35 : Swish Test0...15
System.Net.Sockets Verbose: 0 : [23872] 000000B0 : 31 30 32 36 32 33 30 30-30 30 5A 17 0D 31 37 31 : 1026230000Z..171
System.Net.Sockets Verbose: 0 : [23872] 000000C0 : 30 32 36 32 31 35 39 35-39 5A 30 37 31 0B 30 09 : 026215959Z071.0.
System.Net.Sockets Verbose: 0 : [23872] 000000D0 : 06 03 55 04 06 13 02 53-45 31 13 30 11 06 03 55 : ..U....SE1.0...U
System.Net.Sockets Verbose: 0 : [23872] 000000E0 : 04 0A 0C 0A 35 35 36 39-31 33 37 33 38 32 31 13 : ....55691373821.
System.Net.Sockets Verbose: 0 : [23872] 000000F0 : 30 11 06 03 55 04 03 0C-0A 31 32 33 31 31 38 31 : 0...U....1231181
System.Net.Sockets Verbose: 0 : [23872] 00000100 : 31 38 39 30 82 01 22 30-0D 06 09 2A 86 48 86 F7 : 1890.."0...*.H..
System.Net.Sockets Verbose: 0 : [23872] 00000110 : 0D 01 01 01 05 00 03 82-01 0F 00 30 82 01 0A 02 : ...........0....
System.Net.Sockets Verbose: 0 : [23872] 00000120 : 82 01 01 00 BC CF F1 F1-62 AB 84 50 EC 91 13 A9 : ........b..P....
System.Net.Sockets Verbose: 0 : [23872] 00000130 : 6B FE 20 78 32 01 54 E9-84 8F FD 4C 77 61 EB B5 : k. x2.T....Lwa..
System.Net.Sockets Verbose: 0 : [23872] 00000140 : 1F 86 66 E8 C9 17 35 37-DB F3 7B 07 72 AA 80 D5 : ..f...57..{.r...
System.Net.Sockets Verbose: 0 : [23872] 00000150 : 79 C5 AB AD C7 92 E0 55-4C 03 3C ED D7 49 4E D6 : y......UL.Mj.0{N.....
System.Net.Sockets Verbose: 0 : [23872] 00000220 : 9E 39 36 3F 02 03 01 00-01 A3 66 30 64 30 12 06 : .96?......f0d0..
System.Net.Sockets Verbose: 0 : [23872] 00000230 : 03 55 1D 20 04 0B 30 09-30 07 06 05 2A 03 04 05 : .U. ..0.0...*...
System.Net.Sockets Verbose: 0 : [23872] 00000240 : 01 30 0E 06 03 55 1D 0F-01 01 FF 04 04 03 02 07 : .0...U..........
System.Net.Sockets Verbose: 0 : [23872] 00000250 : 80 30 1D 06 03 55 1D 0E-04 16 04 14 60 78 11 F2 : .0...U......`x..
System.Net.Sockets Verbose: 0 : [23872] 00000260 : 80 61 20 15 74 29 36 9E-F8 96 1E 7D 33 6C 7F F8 : .a .t)6....}3l..
System.Net.Sockets Verbose: 0 : [23872] 00000270 : 30 1F 06 03 55 1D 23 04-18 30 16 80 14 26 CD F1 : 0...U.#..0...&..
System.Net.Sockets Verbose: 0 : [23872] 00000280 : 34 AD 9D 0F 17 DC 90 6D-AE B2 BB DF BE A0 0C F5 : 4......m........
System.Net.Sockets Verbose: 0 : [23872] 00000290 : 40 30 0D 06 09 2A 86 48-86 F7 0D 01 01 0B 05 00 : @0...*.H........
System.Net.Sockets Verbose: 0 : [23872] 000002A0 : 03 82 02 01 00 16 18 A4-67 4E 78 3C B7 1F 91 F5 : ........gNx|....
System.Net.Sockets Verbose: 0 : [23872] 000002D0 : F1 DD 3E DE 05 F1 7A FC-5A D1 E4 78 33 80 8C 84 : ..>...z.Z..x3...
System.Net.Sockets Verbose: 0 : [23872] 000002E0 : EF 68 FD 90 13 E7 77 35-B9 8E B4 3C 0F 2C DE 55 : .h....w5...uM..V..F...
System.Net.Sockets Verbose: 0 : [23872] 00000370 : DE DB 8D 63 2A 46 C2 3E-31 1E 01 DA B1 57 EE FD : ...c*F.>1....W..
System.Net.Sockets Verbose: 0 : [23872] 00000380 : A6 0C A1 09 8F 03 41 2D-4D 77 19 A9 61 22 50 01 : ......A-Mw..a"P.
System.Net.Sockets Verbose: 0 : [23872] 00000390 : F9 72 46 A7 42 20 03 16-91 F4 37 00 78 73 5D 8E : .rF.B ....7.xs].
System.Net.Sockets Verbose: 0 : [23872] 000003A0 : 05 21 01 FB C7 5D D4 AD-39 41 F4 3C 07 BC 9C 03 : .!...]..9A. Int32#1638
System.Net.Sockets Verbose: 0 : [23872] Socket#66404974::BeginReceive()
System.Net.Sockets Verbose: 0 : [12712] Data from Socket#66404974::PostCompletion
System.Net.Sockets Verbose: 0 : [12712] 00000000 : 15 03 03 00 02 : .....
System.Net.Sockets Verbose: 0 : [12712] Socket#66404974::EndReceive(OverlappedAsyncResult#64760428)
System.Net.Sockets Verbose: 0 : [12712] Exiting Socket#66404974::EndReceive() -> Int32#5
System.Net.Sockets Verbose: 0 : [23872] Exiting Socket#66404974::BeginReceive() -> OverlappedAsyncResult#64760428
System.Net.Sockets Verbose: 0 : [23872] Socket#66404974::BeginReceive()
System.Net.Sockets Verbose: 0 : [12712] Data from Socket#66404974::PostCompletion
System.Net.Sockets Verbose: 0 : [12712] 00000000 : 02 28 : .(
System.Net.Sockets Verbose: 0 : [12712] Socket#66404974::EndReceive(OverlappedAsyncResult#27335310)
System.Net.Sockets Verbose: 0 : [12712] Exiting Socket#66404974::EndReceive() -> Int32#2
System.Net.Sockets Verbose: 0 : [23872] Exiting Socket#66404974::BeginReceive() -> OverlappedAsyncResult#27335310
System.Net Information: 0 : [23872] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 6801dc65d0:db724b14d0, targetName = mss.swicpc.bankgirot.se, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [23872] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [23872] Socket#66404974::Dispose()
System.Net Error: 0 : [23872] Exception in HttpWebRequest#15120020:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Verbose: 0 : [23872] HttpWebRequest#15120020::EndGetRequestStream()
System.Net Error: 0 : [23872] Exception in HttpWebRequest#15120020::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..`
1 answers
solution1
0 2017-05-11 11:36:00
The ServerCertificateCustomValidationCallback is never called and I guess that Azure don´t allow this callback. The root certificate must be trusted.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to fix RevocationStatusUnknown in asp.net core 3.1 with self-signed client certificate
OnCertificateValidated not running - Self-Signed Certificate Client Authentication - ASP.NET Core and Kestrel
Cannot authenticate a call to ASP.NET MVC3 service with a self-signed client certificate
Self-signed certificate security for private server/client
Self Hosted Asp Net Core Web server, client authentication with self-signed certificates
ASP.NET Core Self Signed Certificate in Firefox not working
Creating certificate issued based on self-signed root certificate with BouncyCastle
How to create a valid, self-signed X509Certificate2 programmatically, not loading from file in .NET Core
Add self-signed ssl certificate to gcp containerized .net core web vm instance
Client certificate - shall I use self-signed or CA issued?
Related Tags