Menu
I'm trying to set up a TLS connection to an application running in a (local) VM using C#'s HttpClient on Windows. However, it results in a RemoteCertificateNameMismatch error every time.
This piece of code:
HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (request, cert, chain, policyErrors) =>
{
Console.WriteLine($"Policy Errors: {policyErrors}");
return policyErrors == SslPolicyErrors.None;
};
HttpClient httpClient = new HttpClient(handler)
{
BaseAddress = new Uri("https://192.168.99.100/engine-rest")
};
var result = httpClient.GetAsync("/engine").Result;
Results in this error:
Policy Errors: RemoteCertificateNameMismatch
Unhandled Exception: System.AggregateException: One or more errors occurred. (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpxception: A security error occurred
at System.Net.Http.WinHttpRequestCallback.OnRequestSendingRequest(WinHttpRequestState state)
at System.Net.Http.WinHttpRequestCallback.RequestCallback(IntPtr handle, WinHttpRequestState state, UInt32 internetStatus, IntPtr statusInformation, UInt32 statusInformationLength)
However, my certificate is valid according to Google Chrome and Mozilla Firefox, but not for Internet Explorer.
See the screenshot taken from Chrome. The certificate seems valid. I've created my own Certificate Authority certificate (self signed certificate), then I used that to create my server certificate. I filled in the subject name. As Subject Alternative Name (SAN) I've added the IP address.
Is an IP address field inside the SAN field not supported in IE and HttpClient? If so, is there some other way of validating a server certificate using an IP address?
I'm using dotnet core 2.0.
521
In PHP you can make this connection using CURL. With a TLS/SSL client you only need the public key to verify a remote host. This public key is just that public, it doesn't matter if it gets leaked to an attacker. On the server side Apache has access both the public and private key.
In a TLS connection, the client and the server first agree upon the version of TLS that they are going to use, which is the highest that both support. Then, they agree upon cipher suites that they are going to use.
First, the client sends a Client Hello to the server. The Client Hello includes the following information. The client sends a list of all the TLS/SSL protocol versions that it supports with the preferred one being first on the list. The preferred one is usually the latest available version. For example, TLS 1.2 has a client_version 3,3.
- Stack Overflow What is a Trusted Connection? Bookmark this question. Show activity on this post. What is a trusted connection in terms of SQL Server 2005 (Trusted vs Windows Auth)? Show activity on this post. A trusted connection is the same thing as using Windows Authentication in SQL Server 2005.
Reading up on a similar question I found the following:
.NET does not support IP addresses as Subject Alternative Names directly because it relies on Schannel to do the verification of the IP address in the cert.
Schannel only looks for the hostname (IP) given in the https request among the "DNS Name=" fields of the cert. So if you could get a CA to give you a cert with the IP addresses listed in the "DNS Name=" fields then it would probably work.
You could try using the 'DNS Name' field.
Source: Does .NET web service client support SSL cert with IP in Alternate Subject Name
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
