0

My C# application cannot connect to a url in our company network due to SSL certificate over-write. How can fix it?

I've one web application running on two separate servers and each bound to different subdomain. Something like;

  • Application: WebApp , Server: 1.2.3.4 , Hostname: a.myapp.com
  • Application: WebApp , Server: 5.6.7.8 , Hostname: b.myapp.com

Normally, my local C# app can interact with both of the servers via subdmoain without any issues. However, when the PC is connected to company network ,the local C# app can connect to the web app bound to subdomain a.myapp.com while it cannot connect to the web app running on b.myapp.com(receiving timeout error). I assume it is because company over writes existing SSL certificate and injects its own SSL certificate.

Note that , I can connect via browsers(chrome and IE) without any issue.

So far I've tried;

ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

and

 var handler = new HttpClientHandler()
            {
                ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; }
            };
var client = new HttpClient(handler);

did not work.

The question is , how come browsers can connect without any issues but System.Net.Http.HttpClient receives timeout ? Is there any way to mimic browser certificate flow in HttpClient?

naltun
  • 114
  • 1
  • 2
  • 12
  • 1
    What is "SSL certificate over-write"? – ProgrammingLlama Sep 13 '19 at 00:44
  • @John It is when the company over writes existing SSL Certificate of the web-sites. Normally , web-site SSL certificate is issued by LetsEncrypt. However, when i am connected to company internet and when i go to the web-site and check certificate i see "CompanyCA" as certificate Issuer. Which means, company uses its own certificate , since the certificate issuer has changed. I thought SSL certificate over-write is the right term for it. – naltun Sep 13 '19 at 00:50
  • 1
    Oh, so the company has installed their own certificate on all machines, and has a proxy server which strips the existing SSL and substitutes their own certificate? – ProgrammingLlama Sep 13 '19 at 00:52
  • @John It is installed when the device is connected to the network. And yes, company substitutes their own certificate. – naltun Sep 13 '19 at 01:02
  • 2
    if its due to ssl, it wont give **timeout error** as the cause for it cant communicate. thats why your attempt to disable ssl checking doesnt work - because its not the issue. i suspect that the website had something in front (firewall i presume) that considers your request as malicious and drops the connection immediately, do double check how long your application waits before it throws the error. should it erred immediately after beginning request, then it may serve as lead to my theory. do try to mimic your app request using `postman` or better `curl`. – Bagus Tesa Sep 13 '19 at 01:19
  • @BagusTesa when i try to send a GET request with curl , i receive "curl: (60) SSL certificate problem: unable to get local issuer certificate" error. If i try again by adding -k flag such as 'curl -k "https://b.myapp.com"' , server sends a success response. – naltun Sep 13 '19 at 08:55
  • try to skip the verification, see this [answer](https://stackoverflow.com/a/8520236/4648586), adding `--insecure` will ask curl to skip certificate verification. if it still give you timeout then something is blocking your request. the *SSL certificate problem: unable to get local issuer certificate* seems to due to curl unable to verify the certificate as its issuer, can be due to incorrect installation of curl (usually on windows i'd throw GitBash for windows and set the ssl verification to use windows provider). – Bagus Tesa Sep 13 '19 at 10:41
  • @BagusTesa I don't receive "SSL certificate problem: unable to get local issuer certificate" error when the PC is connected to any other network. Another thing i've noticed is that ServicePointManager.ServerCertificateValidationCallback is not called at all. I guess the problem is SSL handshake. I've used RestSharp client and the result was the same. So far I've tried browsers, soapui , postman and all worked. The only explanation i've come up with is that, the issue is related to default SSL handshake mechanism implemeted in .NET. I will dig further. – naltun Sep 13 '19 at 11:08
  • hmm, could you scan the domain for TLS implementations? i remember .NET 4.0 and 4.5 didnt have TLS 1.2 enabled out of the box and you need to enable it manually. if you could run [`nmap`](https://security.stackexchange.com/questions/184774/how-to-control-the-ciphersuites-in-nmap-ssl-enum-ciphers) (or any other way) to see the enabled protocols and ciphersuites, that may give some clue. – Bagus Tesa Sep 14 '19 at 00:35
  • @BagusTesa well, you were right with your first guess. After wasting hours with Wireshark package analysis, i found out that firewall dropping SSL handshake packages of the .net client application. When i compared packages of the client and browsers, i found out that browsers were sending different cipher suites to the server. When i over ride cipher suites in the C# client app, it worked. – naltun Sep 14 '19 at 10:20
  • glad you worked it out XD i never thought `HttpClient` will throw time out on failing ssl handshakes. i remember it throws different error. – Bagus Tesa Sep 14 '19 at 11:38

1 Answers1

0

The problem was the company firewall. Apparently, the firewall was dropping packages during SSL handshake between .net client app and the server.It is because .net client is using SChannel cipher suites by default and on the firewall there must be a rule for those cipher suites.The only way to customize .net SSL cipher suites is using Bouncy castle. After manually setting SSL cipher suites it worked.

Used this stackoverflow question as reference

naltun
  • 114
  • 1
  • 2
  • 12