docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Bad description of breaking TLS changes

Open karlra opened this issue 3 years ago • 2 comments

This page doesn't mention that HttpClient and OUTBOUND connections are affected too - it gives the impression that it's just Kestrel when it talks about external ssl tools.

"either specify a CipherSuitePolicy value" -> There is no documentation ANYWHERE about how to do this and it does not seem possible to do it easily per HttpClient request/instance which is a huge mess in an API scenario where we need to connect to many different customer-supplied endpoints. After upgrading to net6 many of our customers broke because HttpClient on Linux now supports different ciphers than before. Also it is NOT correct that it uses the system ones, because the openssl CLI from the same system successfully connects to these sites with TLS 1.2, whereas HttpClient throws an exception that talks about ssl3 not working.

Also, what an ultra bad decision to make HttpClient behave differently on different systems - now the exact same code works on Windows 10, but breaks on production Linux servers!!!!!!!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

karlra avatar Feb 18 '22 07:02 karlra

Hi @karlra We are facing the same issue. Were you able to resolve it?

Thanks

MaorDavidzon avatar Sep 10 '22 17:09 MaorDavidzon

@MaorDavidzon We had to change openssl.cnf, there was no way around it.

karlra avatar Sep 10 '22 17:09 karlra

Thanks @karlra It works :)

I wonder if there is an applicative way to do it, so I won't need to change the OpenSSL conf

MaorDavidzon avatar Oct 03 '22 11:10 MaorDavidzon

There isn't, which is really bad :(

karlra avatar Oct 03 '22 18:10 karlra

@bartonjs Can you clarify how users can specify a CipherSuitePolicy value as a workaround, and also whether outbound connections should be explicitly mentioned?

gewarren avatar Dec 01 '22 21:12 gewarren

The documentation does mention that it applies to HttpClient, which is only relevant to outbound operations. ("... or higher-level operations, such as HTTPS via the HttpClient class.")

The type name apparently has a typo in it, since it is referring to https://learn.microsoft.com/dotnet/api/system.net.security.ciphersuitespolicy; but as it specifically pertains to the https://learn.microsoft.com/dotnet/api/system.net.security.sslserverauthenticationoptions.ciphersuitespolicy or https://learn.microsoft.com/dotnet/api/system.net.security.sslclientauthenticationoptions.ciphersuitespolicy properties.

SslClientAuthenticationOptions clientOpts = new SslClientAuthenticationOptions
{
    ...
    CipherSuitesPolicy = new CipherSuitesPolicy(
        new[]
        {
            TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        }),
};

using (SslStream sslStream = new SslStream(networkStream))
{
    sslStream.AuthenticateAsClient(clientOptions);
    ...
}

Or, for HttpClient:

SocketsHttpHandler handler = new SocketsHttpHandler
{
    SslOptions =
    {
        CipherSuitesPolicy = new CipherSuitesPolicy(
            new[]
            {
                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            }),
    },
};

using (HttpClient httpClient = new HttpClient(handler))
{
    ...
}

bartonjs avatar Dec 02 '22 00:12 bartonjs