2

I'm running a self contained dotnet app on a windows 2019 to execute a simple httpclient get on a remote machine using mTLS with a client certificate.

I am loading the client certificate in the application by passing a p12 keystore filepath, which has the certificate keypair and chain.

Executing this get on powershell with invoke-restmethod on the windows 2019 server works, which means the certificate loads properly and the server certificate is validated by accessing the certificate store.

Also, running the application locally works! so that means that both client and server certificates and chains are valid and my dotnet framework can access the local windows store.

Here is the simple call that is causing the issue:

 var certificate = new X509Certificate2(filePath, password);

 Console.WriteLine($"Certificate found in keystore: {certificate.FriendlyName}. {certificate.Thumbprint}. {certificate.Subject}.");


 var handler = new HttpClientHandler();
 var httpClient = new HttpClient(handler)
 handler.ClientCertificates.Add(certificate);

 var result = httpClient.GetAsync("https://urltoserverwithvalidmTLS").GetAwaiter().GetResult();

The exception i get is:

Exception: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception

---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.

---> System.ComponentModel.Win32Exception (0x80090304): The Local Security Authority cannot be contacted

--- End of inner exception stack trace ---

at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

App is published with:

--configuration Release -r win-x64 --self-contained true

and csproj targets netcoreapp3.1 framework

At this point i have no clue why this is not working. Any help would be appreciated.

Rui Vaz
  • 55
  • 1
  • 6
  • 1
    Try migrating to .net 6, perhaps that fixes security policy issues – AZ Software Jun 14 '22 at 16:39
  • doesn't work unfortunately. i've even tried to run it as framework-dependent using .net 6 but i get the same error. it seems unbeliavable that a .net6 application cannot run on a windows server. The same code works using the installed .net4 framework. – Rui Vaz Jun 21 '22 at 12:34

1 Answers1

1

This was related to a combination of two issues related to ssl protocols. Dotnet httpclient defaults to an invalid TLS protocol on windows 2019. Setting the SslProtocols to Tls12 resolved this.

The other issue is that windows 2019 does not work with ephemeral key when creating tls connections.

Setting the connection flag to X509KeyStorageFlags.PersistKeySet resolved this. Here is a sample http client that works on windows 2019 with .net6:

            var certificate = new X509Certificate2(filePath, password, X509KeyStorageFlags.PersistKeySet);
            var handler = new HttpClientHandler();
            handler.SslProtocols = SslProtocols.Tls12;
            handler.ClientCertificates.Add(certificate);

            var httpClient = new HttpClient(handler);
var result = await httpClient.GetAsync(https://pathToYourSecureUrl);
Rui Vaz
  • 55
  • 1
  • 6