Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to start a trusted TLS connection with a server by IP address using HttpClient in C#?

I'm trying to set up a TLS connection to an application running in a (local) VM using C#'s HttpClient on Windows. However, it results in a RemoteCertificateNameMismatch error every time.

This piece of code:

HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (request, cert, chain, policyErrors) =>
{
    Console.WriteLine($"Policy Errors: {policyErrors}");
    return policyErrors == SslPolicyErrors.None;
};
HttpClient httpClient = new HttpClient(handler)
{
    BaseAddress = new Uri("https://192.168.99.100/engine-rest")
};
var result = httpClient.GetAsync("/engine").Result;

Results in this error:

Policy Errors: RemoteCertificateNameMismatch

Unhandled Exception: System.AggregateException: One or more errors occurred. (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpxception: A security error occurred
   at System.Net.Http.WinHttpRequestCallback.OnRequestSendingRequest(WinHttpRequestState state)
   at System.Net.Http.WinHttpRequestCallback.RequestCallback(IntPtr handle, WinHttpRequestState state, UInt32 internetStatus, IntPtr statusInformation, UInt32 statusInformationLength)

However, my certificate is valid according to Google Chrome and Mozilla Firefox, but not for Internet Explorer.

Valid server certificate in Chrome

See the screenshot taken from Chrome. The certificate seems valid. I've created my own Certificate Authority certificate (self signed certificate), then I used that to create my server certificate. I filled in the subject name. As Subject Alternative Name (SAN) I've added the IP address.

Is an IP address field inside the SAN field not supported in IE and HttpClient? If so, is there some other way of validating a server certificate using an IP address?

I'm using dotnet core 2.0.

like image 521
nicojs Avatar asked Mar 05 '18 15:03

nicojs


People also ask

How to verify a TLS/SSL connection in PHP?

In PHP you can make this connection using CURL. With a TLS/SSL client you only need the public key to verify a remote host. This public key is just that public, it doesn't matter if it gets leaked to an attacker. On the server side Apache has access both the public and private key.

What is a TLS connection?

In a TLS connection, the client and the server first agree upon the version of TLS that they are going to use, which is the highest that both support. Then, they agree upon cipher suites that they are going to use.

How do I know which TLS/SSL protocol version my client is using?

First, the client sends a Client Hello to the server. The Client Hello includes the following information. The client sends a list of all the TLS/SSL protocol versions that it supports with the preferred one being first on the list. The preferred one is usually the latest available version. For example, TLS 1.2 has a client_version 3,3.

What is a trusted connection?

- Stack Overflow What is a Trusted Connection? Bookmark this question. Show activity on this post. What is a trusted connection in terms of SQL Server 2005 (Trusted vs Windows Auth)? Show activity on this post. A trusted connection is the same thing as using Windows Authentication in SQL Server 2005.


1 Answers

Reading up on a similar question I found the following:

.NET does not support IP addresses as Subject Alternative Names directly because it relies on Schannel to do the verification of the IP address in the cert.

Schannel only looks for the hostname (IP) given in the https request among the "DNS Name=" fields of the cert. So if you could get a CA to give you a cert with the IP addresses listed in the "DNS Name=" fields then it would probably work.

You could try using the 'DNS Name' field.

Source: Does .NET web service client support SSL cert with IP in Alternate Subject Name

like image 95
Rob Avatar answered Sep 29 '22 03:09

Rob