HTTPS SSL Connection not trusted, despite certificate being fine - asp.net-mvc

I have got 2 sitest hosted on Windows 2012 R2 IIs 8.5.
One is instance of umbraco while other is .Net core based api (Lets call it MyApi).
I want to perform certain search action on umbraco so umbraco makes call to the api which calls back the Umbraco/Api. Call to the MyApi is fine, however the call from MyApi to the Umbraco/Api is problem. The Umbraco api logs:
Search failed System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Certificates themselves are provided by our customer's inner authority, which is trusted root in server storage. Now originaly we have had problem with certificates, as they missed first DNS record we use for api call (the DNS records are not created yet, we use record in 'hosts') but that shoud be fiex by now.
I have updated the SSL error handler in the code so it logs an error and number in SSL Enum.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) =>
{
_logger.LogError("Received TLS errror " + ((int)sslPolicyErrors).ToString());
return false;
};
_logger.LogDebug("Search starting");
if (model.Username != null)
{
model.Favourites = _workplaceContext.GetUserFavourites(_dataContext, model.Username);
}
else if (model.JustFavourites)
{
return BadRequest();
}
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(_configuration.GetValue<string>("UmbracoApiUrl"));
_logger.LogDebug("Searching for addres " + new Uri(_configuration.GetValue<string>("UmbracoApiUrl")));
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(
new MediaTypeWithQualityHeaderValue("application/json"));
var json = JsonConvert.SerializeObject(model);
using (var stringContent = new StringContent(json, Encoding.UTF8, "application/json"))
{
var response = await client.PostAsync("workplace/search", stringContent);
if (response.IsSuccessStatusCode)
{
_logger.LogDebug("Search API Call success");
var jsonResponse = await response.Content.ReadAsStringAsync();
var responseModel = JsonConvert.DeserializeObject<SearchResponseModel>(jsonResponse);
_logger.LogDebug("Search response TotalCount = " + responseModel.TotalCount);
return responseModel;
}
else
{
_logger.LogDebug("Search API Call status - " + response.StatusCode);
return StatusCode((int)response.StatusCode);
}
}
}
Originaly we received number 2 error. Now we just receive number 0, which should be no problem. Despite that, connections is still not working. I have read various articles regarfding this and enabled troubleshooting through in web config of umbraco, but haven't found any useful information. I need method to troubleshoot the MyApi. Could somone point me a direction how to troubleshoot it to the similar degree of detail as umbraco (i am not much familiar with .NET core apps)?
The interesting part of error log:
2019-07-08 13:35:32.1745||DEBUG|XXXApi.Controllers.WorkplaceController|Search starting
2019-07-08 13:35:32.1901||DEBUG|XXXApi.Controllers.WorkplaceController|Searching for addres https://xxx.yy.zz/umbraco/api/
2019-07-08 13:35:32.2682||ERROR|XXXCApi.Controllers.WorkplaceController|Received TLS errror 0
2019-07-08 13:35:32.2682||ERROR|XXXApi.Controllers.WorkplaceController|Search failed System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---

Solution: The original error was in certificate and got fixed, BUT the callback returning false I used for debugging caused problem marking connection unsuccessful. It took like 2 days to figure it out. So since moment i got 0 in enum, it was just bug in my debugging code.
Oh and don't forget to unsubscribe the delgate.

Related

How can I make a TLS connection using Vala?

I'm trying to figure out how can I make a proper TLS connection using Gio. The Gio documentation says you can create a TLS connection just by setting the tls flag on the SocketClient. Below is a Gio networking sample from the gnome wiki. When I set the tls flag, the TLS layer is configured automatically but validating the certificates fails unless I skip the validation.
Do I have to validate certificates myself or is GLib supposed to do the validation? Can somebody provide a full example on how to use TLS in Vala?
var host = "developer.gnome.org";
try {
// Resolve hostname to IP address
var resolver = Resolver.get_default ();
var addresses = resolver.lookup_by_name (host, null);
var address = addresses.nth_data (0);
print (#"Resolved $host to $address\n");
// Connect
var client = new SocketClient ();
client.set_tls(true);
// skips certificate validation
client.set_tls_validation_flags( 0 );
var conn = client.connect (new InetSocketAddress (address, 443));
print (#"Connected to $host\n");
// Send HTTP GET request
var message = #"GET / HTTP/1.1\r\nHost: $host\r\n\r\n";
conn.output_stream.write (message.data);
print ("Wrote request\n");
// Receive response
var response = new DataInputStream (conn.input_stream);
var status_line = response.read_line (null).strip ();
print ("Received status line: %s\n", status_line);
} catch (Error e) {
stderr.printf ("%s\n", e.message);
}
And another thing I want to ask is; when I run the code above I get this output:
Resolved developer.gnome.org to 8.43.85.14
Connected to developer.gnome.org
Wrote request
Received status line: HTTP/1.1 200 OK
But when I try to connect 'developer.mozilla.org', I'm getting the following error:
Resolved developer.mozilla.org to 54.192.235.2
Error performing TLS handshake: A packet with illegal or unsupported version was received.
Can anybody tell me the reason why I am getting this error? (By the way the version of GLib installed on my system is 2.64.6)
What you're doing so far is mostly correct, but you will probably want to do a little bit more to handle potential certificate errors during the TLS handshaking (see below).
Do I have to validate certificates myself or is GLib supposed to do the validation?
Note that SocketClient.set_tls_validation_flags is deprecated. To handle validation errors you can connect to the accept_certificate signal on the TlsClientConnection prior to handshaking:
var client = new SocketClient ();
client.set_tls(true);
client.event.connect ((SocketClientEvent event, SocketConnectable connectable, IOStream? connection) => {
if (event == SocketClientEvent.TLS_HANDSHAKING) {
((TlsClientConnection) connection).accept_certificate.connect ((peer_cert, errors) => {
// Return true to accept, false to reject
});
}
});
The errors are GLib.TlsCertificateFlags, so you'll want to determine which (if any) are acceptable. Ideally if there are any errors you would reject the certificate altogether, but if you want to allow self-signed certificates for example, that is possible this way.
You can simply check against the flags to see which ones are included in the errors:
TlsCertificateFlags[] flags = new TlsCertificateFlags[] {
TlsCertificateFlags.BAD_IDENTITY,
TlsCertificateFlags.EXPIRED,
TlsCertificateFlags.GENERIC_ERROR,
TlsCertificateFlags.INSECURE,
TlsCertificateFlags.NOT_ACTIVATED,
TlsCertificateFlags.REVOKED,
TlsCertificateFlags.UNKNOWN_CA
};
foreach (var flag in flags) {
if ((errors & flag) != 0) {
// The flag was included in the errors - respond accordingly
}
}
But when I try to connect 'developer.mozilla.org', I'm getting the
following error:
Resolved developer.mozilla.org to 54.192.235.2 Error performing TLS
handshake: A packet with illegal or unsupported version was received.
Can anybody tell me the reason why I am getting this error? (By the
way the version of GLib installed on my system is 2.64.6)
This is probably due to developer.mozilla.org using an old implementation of TLS (probably 1.0 or 1.1). These were disabled in GLib networking as of 2.64.x according to this bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954742
They may have upgraded to TLS 1.2 since you posted this question - I just did a quick test and connected using TLSv1.2 successfully.
Try run the program with export G_MESSAGES_DEBUG=all for full debug messages.
Also, for a full working example of code that uses TLS written in Vala via GIO, check out the code for this Gemini browser: https://github.com/koyuspace/fossil/blob/main/src/util/connection_helper.vala
I hope that this is somewhat useful to you.

Simple POST from website to external web api fails

I have an asp .net MVC-page
Im trying to connect to Eventbrite:s api
Simply put, it requires you to send client id to one url, using HttpGET and HttpPOST the result and some more info to another url.
The GET goes fine and I get the required (auth)"code". When I try to make the POST to the second url I get
"Socket Exception: An existing connection was forcibly closed by the
remote host"
I can POST to the second url, using Postman and the info from the GET-request it works ok, I get the auth token just fine.
This is the code Im using
var parameters = new Dictionary<string,string>();
parameters.Add("code", pCode);
parameters.Add("client_secret", CLIENT_SECRET);
parameters.Add("client_id", CLIENT_APP_KEY);
parameters.Add("grant_type", "authorization_code");
using (var client = new HttpClient())
{
var req = new HttpRequestMessage(HttpMethod.Post, pUrl) { Content = new FormUrlEncodedContent(parameters) };
var response = client.SendAsync(req).Result;
return response.Content.ReadAsStringAsync().Result;
}
I have a vague memory of a similar problem when publishing to Azure. Since I have to register my app with a public return url I cant look at the request with fiddler.
My site is running https.
I have also tested adding the below line (from some googling)
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
But then I get 404-error...
I have also tested this (with same result)
using (var client = new HttpClient())
{
var response = client.PostAsync(pUrl, content).Result;
authToken = response.Content.ReadAsStringAsync().Result;
}
Ive tested getting the auth code and and running the POST from local machine, same result...
I have contacted eventbrite developer support to see if they can help me as well...
This POST must contain the following urlencoded data, along with a Content-type: application/x-www-form-urlencoded header.
Since your content-type is application/x-www-form-urlencoded you'll need to encode the POST body, especially if it contains characters like & which have special meaning in a form.
Then use the following function to post your data:
using (var httpClient = new HttpClient())
{
using (var content = new FormUrlEncodedContent(parameters))
{
content.Headers.Clear();
content.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
HttpResponseMessage response = await httpClient.PostAsync(url, content);
return await response.Content.ReadAsAsync<TResult>();
}
}
The error message you provided means the remote side closed the connection, the causes are:
·You are sending malformed data to the application.
·The network link between the client and server is going down for some reason.
·You have triggered a bug in the third-party application that caused it to crash.
·The third-party application has exhausted system resources.
·Set ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
For more details, you could refer to this case.
Changed OAuth access token URL from
https://www.eventbrite.com/oauth/token/
to (as specified)
https://www.eventbrite.com/oauth/token
(ie without trailing slash). Now it works

SSPI negotiation failed WSTrustChannelFactory

This one has me for a while now, I am trying to build a console app that can call a .net web/wcf service SP, the first leg is to get a token from the idP (ADFS4.0) the pasted code was working fine for a whole day, at some point it stopped working with the following error:
SOAP security negotiation with 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' for target 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' failed. See inner exception for more details.
The inner error is:
The Security Support Provider Interface (SSPI) negotiation failed.
NativeErrorCode: 0x80090350 -> SEC_E_DOWNGRADE_DETECTED
I have tried /13/windows and /windowstransport as well as the endpoint.
private static GenericXmlSecurityToken RequestSecurityToken()
{
// set up the ws-trust channel factory
var factory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(new WindowsWSTrustBinding(
SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri("https://adfs.domain.in/adfs/services/trust/13/windowsmixed"), EndpointIdentity.CreateSpnIdentity("adfs#domain.in")));
factory.TrustVersion = TrustVersion.WSTrust13;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new System.ServiceModel.EndpointAddress(endpoint_address)
};
// request token and return
return factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
}
In my case, for some reason, the ADFS was available over VPN but the AD based authentication bits are not happening over VPN. That's why SEC_E_DOWNGRADE_DETECTED is coming. In a regular non VPN environment things are good.
Also, another observation is once SAML token is generated over a regular enterprise network. Subsequent calls to generate the SAML token are going through as expected even on VPN.
So, if you see this error just check if the network you are in is part of the domain (and not public or private network), for SSPI negotiation.

Error trying to Connect to GMail with MailKit

I've got the following code...
var credential = GoogleWebAuthorizationBroker.AuthorizeAsync(new ClientSecrets
{
ClientId = "<< MY CLIENT ID>>",
ClientSecret = "<<MY CLIENT SECRET>>"
},
new[] { "https://www.googleapis.com/auth/gmail.readonly" },
"<<EMAIL ADDRESS>>",
CancellationToken.None,
new FileDataStore("Mail2.Auth.Store")).Result;
using (var client = new ImapClient())
{
// THE CODE FAILS ON THIS NEXT LINE
client.Connect("imap.gmail.com", 993, SecureSocketOptions.SslOnConnect);
client.Authenticate("<<EMAIL ADDRESS>>", credential.Token.AccessToken);
}
When run, the code fails on the indicated like with AuthenticationException: The remote certificate is invalid according to the validation procedure.
I initially thought that is was 'cos the account had 2-step authentication on. So, I set up another account ensuring it just used the regular authentication settings and I got the same error.
I have found a number of posts, here and elsewhere, that deal with this exception but they seem to deal with the issue of working with the SmtpClient() and here, as you can see from the code, I'm getting the error with the ImapClient().
Can anyone suggest what it is that may be the cause of the error? Is it GMail? MailKit? .NET? All of the above?
The problem is that your system does not accept the GMail's SSL certificate.
You can override client.ServerCertificateValidationCallback.
A very simple example of a solution might look like this:
client.ServerCertificateValidationCallback = () => true;
Obviously that means that if anyone ever spoofed imap.gmail.com, your software would get caught in a MITM attack, so that's not ideal.
You'll likely want to match the certificate's thumbprint against a known thumbprint or else add the certificate to your local certificate store and assign a trust level to it.

Authenticated YouTube Data v3 query fails with 403 Forbidden message

This is a c# .NET application. The app makes an OAuth2 authenticated YouTube Data v3 ChannelList query that had been working for two months. Recently, the query fails with a 403 Forbidden message from Google. It fails from our Azure Web server and when running in Visual Studio on a developer desktop. The query works for at least one user but fails for all others tested. The query (listed here) works for all users from within the API Explorer. I cannot find additional error description returned from Google.
Update (7/15/2013): The query now runs after adding the access_token to the query. Previously, it executed successfully with the access_token only in the Service object, not explicitly part of the query. Although the query is successful with access_token directly appended, we are getting a downstream JavaScript error on on the YouTube embedded player. Not sure if that is related. I see there was a .NET API update in late June. #Ikailan, did something change at Google to break the access_token auth in the Service object. Note: we DID update to the new API. Are changes required to our code to use the June 2013 API updates?
Error Message "The remote server returned an error: (403) Forbidden."
Method that was failing but now works with the Auth token added to the query.
//Gets the channel information of the current user
public static ChannelListResponse GetCurrentUserChannel(string token)
{
YouTubeService service = new YouTubeService(GlobalSettings.applicationName, GlobalSettings.developerKey);
GAuthSubRequestFactory authFactory = new GAuthSubRequestFactory("YouTube", GlobalSettings.applicationName);
authFactory.Token = token;
service.RequestFactory = authFactory;
ChannelListResponse response = new ChannelListResponse();
try
{
System.IO.Stream resultStream = service.Query(new Uri("https://www.googleapis.com/youtube/v3/channels?part=id%2Csnippet%2CcontentDetails%2Cstatistics%2CtopicDetails&mine=true&access_token=" + authFactory.Token));
using (var reader = new System.IO.StreamReader(resultStream))
{
string value = reader.ReadToEnd();
response = JObject.Parse(value).ToObject<ChannelListResponse>();
}
}
catch (Exception ex) { }
return response;
}
Line that throws the exception. Added the Auth Key (see code above). Now the query executes successfully.
System.IO.Stream resultStream = service.Query(new Uri("https://www.googleapis.com/youtube/v3/channels?part=id%2Csnippet&mine=true"));
However, we are getting an Access Denied error for an embedded YouTube video player.
A first chance exception of type 'System.Threading.ThreadAbortException' occurred in mscorlib.dll
An exception of type 'System.Threading.ThreadAbortException' occurred in mscorlib.dll but was not handled in user code
Exception was thrown at line 4224, column 4 in http://localhost:49185/YotaCast_Prototype/Scripts/jquery-1.9.1.js
0x800a139e - JavaScript runtime error: SyntaxError
Exception was thrown at line 4242, column 4 in http://localhost:49185/YotaCast_Prototype/Scripts/jquery-1.9.1.js
0x800a139e - JavaScript runtime error: SyntaxError
Exception was thrown at line 360, column 9 in http://localhost:49185/YotaCast_Prototype/Scripts/foundation/foundation.js
0x800a1391 - JavaScript runtime error: 'Zepto' is undefined
Exception was thrown at line 1, column 97 in http://s.ytimg.com/yts/jsbin/www-embed-player-vflXN6WzI.js
0x80070005 - JavaScript runtime error: Access is denied.

Resources