We Keep Coding

The remote certificate is invalid according to the validation procedure - NET Core WebAPI

I'm struggling when putting together two ASP.Net Core application talk to each other using HTTPS.
Before setting up the web api, I first generated the HTTPS correspondent certificates through a development private PKI. This is the code to build the client and server certificates. I believe that the PKI part of the code is not relevant for now.
#!/usr/bin/env bash
printf "SET ENVIRONMENT\n\n"
export ca_dir=$HOME/CA
root_ca_config_path=$ca_dir/root-ca/root-ca.conf
sub_ca_config_path=$ca_dir/sub-ca/sub-ca.conf
server_config_path=$ca_dir/server/server_config.conf
client_config_path=$ca_dir/client/client_config.conf
pass=$ca_dir/pass/pass.aes256
printf "CREATED CLIENT FOLDER\n\n"
mkdir -p $ca_dir/client/{certs,private,csr}
printf "CREATED SERIAL\n\n"
openssl rand -hex 16 > $ca_dir/ca-chain/ca-chain.srl
cat << EOF > $server_config_path
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = #alt_names
[ alt_names ]
# Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.1 = localhost
IP.1 = 127.0.0.1
[ req ]
# Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = BR
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organization Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = BR
stateOrProvinceName_default = Brazil
0.organizationName_default = ElectricStone Ltd
organizationalUnitName_default = FakeProvider
commonName_default = localhost
EOF
cat << EOF > $client_config_path
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = #alt_names
[ req ]
# Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = BR
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organization Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = BR
stateOrProvinceName_default = Brazil
0.organizationName_default = ElectricStone Ltd
organizationalUnitName_default = eCommerce
commonName_default = localhost
[ alt_names ]
# Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
printf "CREATING SERVER PRIVATE KEY...\n\n"
openssl genrsa -out $ca_dir/server/private/netwebapp.key 2048
printf "CREATING CLIENT PRIVATE KEY...\n\n"
openssl genrsa -out $ca_dir/client/private/netwebappclient.key 2048
printf "CREATING A SERVER SIGNING REQUEST...\n\n"
openssl req -config $server_config_path -passin file:$pass -key $ca_dir/server/private/netwebapp.key \
-new -sha256 -out $ca_dir/server/csr/netwebapp.csr
printf "CREATING A CLIENT SIGNING REQUEST...\n\n"
openssl req -config $client_config_path -passin file:$pass -key $ca_dir/client/private/netwebappclient.key \
-new -sha256 -out $ca_dir/client/csr/netwebappclient.csr
printf "CREATING THE SERVER CERTIFICATE...\n\n"
openssl x509 -req -in $ca_dir/server/csr/netwebapp.csr -passin file:$pass \
-CA $ca_dir/ca-chain/ca-chain.crt \
-CAkey $ca_dir/sub-ca/private/sub-ca.key \
-CAserial $ca_dir/ca-chain/ca-chain.srl \
-out $ca_dir/server/certs/netwebapp.crt -days 365 -sha256 -extfile $server_config_path
printf "CREATING THE CLIENT CERTFICATE...\n\n"
openssl x509 -req -in $ca_dir/client/csr/netwebappclient.csr -passin file:$pass \
-CA $ca_dir/ca-chain/ca-chain.crt \
-CAkey $ca_dir/sub-ca/private/sub-ca.key \
-CAserial $ca_dir/ca-chain/ca-chain.srl \
-out $ca_dir/client/certs/netwebappclient.crt -days 365 -sha256 -extfile $client_config_path
After I had generate the certificates I was able to test their effectiveness through respectively openssl commands:
# Testing the server certificate
sudo openssl s_server -accept 443 -www -key $ca_dir/server/private/netwebapp.key \
-CAfile $ca_dir/sub-ca/certs/sub-ca.crt \
-cert $ca_dir/server/certs/netwebapp.crt
# Testing the client certificate
openssl s_client -connect localhost:443 -servername localhost \
-cert /home/dggt/CA/client/certs/netwebappclient.crt \
-key /home/dggt/CA/client/private/netwebappclient.key \
-CAfile /home/dggt/CA/root-ca/certs/ca.crt \
-showcerts
Those test command produced this output at client side:
CONNECTED(00000006)
depth=2 C = BR, ST = Brazil, O = ElectricStone Ltd, CN = ElectricStone Root CA
verify return:1
depth=1 C = BR, ST = Brazil, O = ElectricStone Ltd, CN = ElectricStone SUB CA
verify return:1
depth=0 C = BR, ST = Brazil, O = ElectricStone Ltd, OU = FakeProvider, CN = localhost
verify return:1
---
Certificate chain
0 s:C = BR, ST = Brazil, O = ElectricStone Ltd, OU = FakeProvider, CN = localhost
i:C = BR, ST = Brazil, O = ElectricStone Ltd, CN = ElectricStone SUB CA
-----BEGIN CERTIFICATE-----
################################## Output suppressed ##################################
-----END CERTIFICATE-----
1 s:C = BR, ST = Brazil, O = ElectricStone Ltd, CN = ElectricStone SUB CA
i:C = BR, ST = Brazil, O = ElectricStone Ltd, CN = ElectricStone Root CA
-----BEGIN CERTIFICATE-----
################################## Output suppressed ##################################
-----END CERTIFICATE-----
---
Server certificate
subject=C = BR, ST = Brazil, O = ElectricStone Ltd, OU = FakeProvider, CN = localhost
issuer=C = BR, ST = Brazil, O = ElectricStone Ltd, CN = ElectricStone SUB CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3378 bytes and written 381 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 5D3176780DE3404A9E246E026D875B0B81A3EFE9EB7B2F17D24E3565DB42E1AE
Session-ID-ctx:
Resumption PSK: E9D6B7E66063C4969C203A153A3E60E1131095E2AE1569AE04673BA9F1FA90974ACE42D5B902ABE8A5760218AD2959FF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
################################## Output suppressed ##################################
Start Time: 1605522448
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 5B8E394EBEBEBC7FD2617EA0695CD9C2E0B8F4ED733F628CA28A5190AB4D27BA
Session-ID-ctx:
Resumption PSK: F536C3428049C2DD6F9496D14E516B30611D2D7056AE6B87445F6328B4B1577093FDA3D4A6AC9D00F30F7725B6925A9E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
################################## Output suppressed ##################################
Start Time: 1605522448
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
So far so good. However at ASP.NET Core side the thing get complicated.
Afterwards some research, at one of my API, I configured the built-in Kestrel web server to work with HTTPS by the following code:
Program.cs
using System;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Server.Kestrel.Https;
using Microsoft.Extensions.Hosting;
namespace BogusProvider
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.ConfigureKestrel((context, options) =>
{
var certificateConfig = context.Configuration.GetSection("Certificate");
var certFileName = certificateConfig["FileName"];
if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("DOTNET_RUNNING_IN_CONTAINER")))
{
// Insert a Docker entry coming from user-secrets when development in container
certFileName = certificateConfig["Docker"];
}
var certPassword = certificateConfig["Password"];
// Configure the Url and ports to bind to
// This overrides calls to UseUrls and the ASPNETCORE_URLS environment variable, but will be
// overridden if you call UseIisIntegration() and host behind IIS/IIS Express
// When development in container, use ListenAnyIP method
options.ConfigureHttpsDefaults(adapterOptions =>
{
adapterOptions.CheckCertificateRevocation = false;
adapterOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
});
options.ListenAnyIP(5002, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http2;
listenOptions.UseHttps(certFileName, certPassword);
listenOptions.UseConnectionLogging("FakerHttpsConnection");
});
}).UseStartup<Startup>();
});
}
}
I also installed the Microsoft.AspNetCore.Authentication.Certificate package in order to setup the certificate authentication in the ASP.NET Core machinery.
This is a snippet of code at Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate();
// Others services suppressed
}
With all this code running, I get 'connection refused' when either requesting through the browser (after I have installed the client certificate alongside its private key password and the Sub CA by browser settings) or the other Web API when requesting through HttpClient.
This is my HttpClient code:
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(new X509Certificate2("/home/dggt/CA/client/certs/netwebappclient.pfx",
"pa$$worD_1"));
return new HttpClient(handler) {BaseAddress = new Uri("https://localhost:5002/fake/")};
This the gist of the error message at console:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
System Specs:
OS: Ubuntu 20.04
Net Info:
SDK: 3.1.404
Runtime: Microsoft.AspNetCore.App 3.1.10
Any idea of what I might be doing wrong? Any help is welcome!

RabbitMQ Web-MQTT WSS closes client connection. Insecure WS and other secure protocols work

I have a deployment of RabbitMQ that uses it's own certificates for end-to-end encryption. It uses both AMQP and MQTT-over-WSS to connect multiple types of clients. AMQP clients are able to connect securely, so I know that the certificate set up is good.
Clients using WS going to ws://hostname:15675/ws can connect fine, but obviously are not secure. Clients attempting to connect to wss://hostname:15676/ws have the connection closed on them. 15676 is the port you will see I have bound the web-mqtt ssl listener to, as shown below. I've gone through both the networking and tls help guide by RabbitMQ, and I see the port correctly bound and can confirm it is exposed and available to the client.
The relevant rabbit.conf:
listeners.tcp.default = 5671
listeners.ssl.default = 5671
ssl_options.cacertfile = /path/to/fullchain.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/privkey.pem
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
web_mqtt.ssl.port = 15676
web_mqtt.ssl.backlog = 1024
web_mqtt.ssl.cacertfile = /path/to/fullchain.pem
web_mqtt.ssl.certfile = /path/to/cert.pem
web_mqtt.ssl.keyfile = /path/to/privkey.pem
Basically, I'm wondering if I have the connection string wrong (wss://hostname:15675/ws)? Do I need to go to /wss? Is it a problem my client is a browser running on localhost -- not HTTPS? Do I have a configuration set incorrectly -- am I missing one?
If there is a better source of documentation/examples of this plugin beyond the RabbitMQ website, I would also be interested.

maybe the configuration mismatch
if there any password for the private file you need to add it also.
refer to the following sample rabbitmq.conf
listeners.ssl.default = 5671
ssl_options.cacertfile = <path/ca-bundle (.pem/.cabundle)>
ssl_options.certfile = <path/cert (.pem/.crt)>
ssl_options.keyfile = <path/key (.pem/.key)>
ssl_options.password = <your private key password>
ssl_options.versions.1 = tlsv1.3
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384
ssl_options.ciphers.2 = TLS_AES_128_GCM_SHA256
ssl_options.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256
ssl_options.ciphers.4 = TLS_AES_128_CCM_SHA256
ssl_options.ciphers.5 = TLS_AES_128_CCM_8_SHA256
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
web_mqtt.ssl.port = 15676
web_mqtt.ssl.backlog = 1024
web_mqtt.ssl.cacertfile = <path/ca-bundle (.pem/.cabundle)>
web_mqtt.ssl.certfile = <path/crt (.pem/.crt)>
web_mqtt.ssl.keyfile = <path/key (.pem/.key)>
web_mqtt.ssl.password = <your private key password>
web_mqtt.ssl.honor_cipher_order = true
web_mqtt.ssl.honor_ecc_order = true
web_mqtt.ssl.client_renegotiation = false
web_mqtt.ssl.secure_renegotiate = true
web_mqtt.ssl.versions.1 = tlsv1.2
web_mqtt.ssl.versions.2 = tlsv1.1
web_mqtt.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384
this is a working configuration file for the rabbitmq-server on ubuntu 20.04
restart the rabbitmq-server
list the listeners port (make sure that the SSL ports enabled) (rabbitmq-diagnostics listeners)
test the SSL (testssl localhost:16567)
also test the telnet (telnet localhost 16567)
please reffer : https://www.rabbitmq.com/ssl.html#erlang-otp-requirements and
troubleshooting
this is worked for me :-)

lighttpd - reject a connection based on the value of the client cert CN discovered during ssl negotiation. (ssl.verifyclient)

I want to drop or reject a connection based on the value of the client cert CN discovered during ssl negotiation.
I'm not familiar with syntax and can't find similar examples.
I'm stuck with lighttpd v.1.4.45.
In a mixture of real and pseudocode:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
...
ssl.ca-file = "..."
...
# client side authentification
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = "2"
# this line instructs client cert CN value to be extracted
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
}
# psuedocode
<client CN> <not regexp-equal> <regexp> {
<reject>
}
Can it be done at the lighttpd level? Assume going down to application code is not an option.
(I'm also curious to see an example of how could it be done at application level but that is not the primary question.)

Use lighttpd mod_auth. https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAuth
server.modules += ("mod_auth")
auth.require = ( "" =>
(
"method" => "extern",
"realm" => "certificate",
"require" => "user=agent007|user=agent008"
)
)
You have to list the permitted SSL_CLIENT_S_DN_CN values in user=...|user=...

How to setup Lighttpd with ssl and proxy

I'm trying setup Lighttpd with ssl and proxy but I cannot make it work.
I've installed the certificate and private-key and they works, however when I try to enable the ssl, the port (443) doesn't respond.
My configuration file is (conf-enabled/10-proxy.conf):
$HTTP["host"] == "host.com.br" {
proxy.server = ( "" => ((
"host" => "200.1.1.1",
"port" => 9004
)))
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/private_key.pem"
ssl.ca-file = "/etc/lighttpd/ssl/certificate_file.crt"
}
My lighttpd.conf is:
server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
# "mod_rewrite",
)
server.document-root = "/var/www"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm",
" index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
include_shell "/usr/share/lighttpd/use-ipv6.pl"
dir-listing.encoding = "utf-8"
server.dir-listing = "enable"
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/x-javascript", "text/css", "text/html", "text/plain" )
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

According in the docs Lighttpd at 1.4.52 doesn´t support SSL/TLS with mod_proxy.

You need to tell lighttpd to listen on port 443:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/private_key.pem"
ssl.ca-file = "/etc/lighttpd/ssl/certificate_file.crt"
}

cannot use any protocol besides SSLv23 in python2 ssl wrapper with self-signed certificate

I generated my self-signed certificate with open ssl
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
I am using python2, and this is my server code:
import socket, ssl
bindsocket = socket.socket()
bindsocket.bind(('localhost', 10023))
bindsocket.listen(5)
while True:
newsocket, fromaddr = bindsocket.accept()
connstream = ssl.wrap_socket(newsocket,
server_side=True,
certfile="cert.pem",
ssl_version=ssl.PROTOCOL_SSLv23)
try:
data = connstream.read()
print data
finally:
connstream.write('hi this is server')
connstream.shutdown(socket.SHUT_RDWR)
connstream.close()
this code works well, my client can get 'hi this is server' successfully. however, when i changed the ssl_version from ssl.PROTOCOL_SSLv23 to ssl.PROTOCOL_TLSv1 or ssl.PROTOCOL_SSLv3, there will be an error:
ssl.SSLError: [Errno 1] _ssl.c:504: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
if i changed ssl_versiton to ssl.PROTOCOL_SSLv2:
ssl.SSLError: [Errno 1] _ssl.c:504: error:1406B0CB:SSL routines:GET_CLIENT_MASTER_KEY:peer error no cipher
this is my client code, I hope this may help to generate the issue:
import socket, ssl
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ca_certs="cert.pem",
cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('localhost', 10023))
ssl_sock.write('hi this is client')
data = ssl_sock.read()
print data
ssl_sock.close()
I can not understand what's wrong with these. how could I use protocols other than SSLv23?

Have you ever considered that the keyfile is needed for server side while certfile is not for client side?
Slightly modified your code here, hope it could help.
#Server side:
import socket, ssl
bindsocket = socket.socket()
bindsocket.bind(('localhost', 10023))
bindsocket.listen(5)
while True:
newsocket, fromaddr = bindsocket.accept()
connstream = ssl.wrap_socket(newsocket,
keyfile='key.pem',
server_side=True,
certfile="cert.crt",
ssl_version=ssl.PROTOCOL_SSLv23)
try:
data = connstream.read()
print data
finally:
connstream.write('hi this is server')
connstream.shutdown(socket.SHUT_RDWR)
connstream.close()
#Client side:
import socket, ssl
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ca_certs="cert.crt",
cert_reqs=ssl.CERT_REQUIRED
)
ssl_sock.connect(('localhost', 10023))
ssl_sock.write('hi this is client')
data = ssl_sock.read()
print data`enter code here`
ssl_sock.close()