Debugging SSL connection termination issue

Question

I've a ASP.NET core web application that uses built in kestrel server and configurations to setup a https connection. Here's how the configutarion (settings.json) looks like

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://localhost:5001"
        }
      },
    "Certificates": {
      "Default": {
          "Subject": "localhost", //default cert generated by visual studio 
          "Store": "My",
          "Location": "LocalMachine",
          "AllowInvalid": "true"
                }
                  }
              }
}

The server expectes a client certificate

.ConfigureKestrel(options =>
                {
    options.ConfigureHttpsDefaults(o =>
    {
        // certificate is an X509Certificate2
        o.ServerCertificate = cert;
        o.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
    });
 
}).UseUrls($"https://*:{int.Parse(Configuration["Port"])}")

This is the error trace

    Unable to retrieve products from https://localhost:5001/api/Products. Exception: 
The SSL connection could not be established, see inner exception.
System.IO.IOException:  Received an unexpected EOF or 0 bytes from the transport stream.

I'm pretty sure the configuration looks fine and it might be an external thing that is terminating the SSL connection like windows defender firewall because it works in a different system. Can I get some suggestions to identify the factor that might close the connection before SSL connection is established?

@GuruStron then it won't start the server, right? it will say it can't find the cert? — SQLProfiler, Aug 01 '23 at 20:32
Why is mtls tagged on your post? There is nothing in your post related to mTLS. — John Hanley, Aug 02 '23 at 00:38
@JohnHanley The server expects a client certificate for mutual authentication. — SQLProfiler, Aug 04 '23 at 05:18
You did not show mTLS usage or explanation when you posted the question. — John Hanley, Aug 04 '23 at 07:22
@JohnHanley I suspected that the mTLS might have a role but since there was no strong evidince I didn't highligh it. The code expects mTLS and I've modified the post to include that as well. — SQLProfiler, Aug 04 '23 at 10:28
For HTTP mTLS problems, I use the CLI `curl` which supports client certificates. Use debug mode to see the TLS layer exchanges. Another excellent tool for debugging mTLS is WireShark. — John Hanley, Aug 04 '23 at 14:54

Qiang Fu · Answer 1 · 2023-08-02T10:08:58.033

Kestrel uses TLS version 1.1 or 1.2 by default. You could try to enable higher version by configure the program.cs

var builder = WebApplication.CreateBuilder();
builder.WebHost.ConfigureKestrel((context, serverOptions) =>
{
    serverOptions.ConfigureHttpsDefaults(listenOptions =>
    {
        listenOptions.OnAuthenticate = (context, sslOptions) =>
        {
            sslOptions.EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls13;
        };
    });
});

Reference :https://learn.microsoft.com/en-us/dotnet/core/compatibility/aspnet-core/5.0/kestrel-default-supported-tls-protocol-versions-changed#recommended-action

Debugging SSL connection termination issue

1 Answers1