C# .NET Core websocket ssl issue - dh key too small

Question

I'm having an issue with a C# websocket client app on Centos 7 with openssl 1.0.2. We have an app that on our windows machines connects to the (third party) websocket server without problem. When we try to connect to the third party's production environment from our linux machines, it fails (though we can connect to their UAT ws server fine). The error relates to 'dh key too small'.

Afaik, the root cause of the issue is likely that the third party production server is running an outdated openssl version. I do not have control of this and cannot force them to upgrade.

I can successfully connect to the third party production service using a python test app if I (in my python code) alter the ssl cipher string (eg ssl._DEFAULT_CIPHERS += 'ALL::EXPORT::LOW::aNULL..eNULL.!SSLv2:!DH'). The '!DH' part seems to be one way of getting around this issue. I should also note - this is all in private networks (no public internet exposure).

How can we update the ciphers in a similar manner, or achieve the same effect, for our .NET Core app in a linux environment. Is there a change we need to make to openssl? Is there a way to do this in our C# code. Any advice would be greatly appreciated!

Thanks

Answer 1

Thanks to the answer received on Ask Ubuntu I managed to fix the issue by:

• copying openssl.cnf file

• Adding openssl_conf = default_conf at the top of the copied file

• Adding at the end:

[ default_conf ]

    ssl_conf = ssl_sect

    [ssl_sect]

    system_default = ssl_default_sect

    [ssl_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT:@SECLEVEL=1

• Running the project with OPENSSL_CONF environmental variable set to path to the altered config file