.NET Core - HTTPClient - dh key too small on Ubuntu 20.04

Question

I'd like to ask if there's a way to bypass Ubuntu's security checks so that I could be able to fetch a website with a small key in my .NET Core Client app? I am getting error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small exception.

The issue is that in Ubuntu 20.04 openSSL has security level set to 2 and (currently, hopefully someone will come up with an answer for my question on Ask Ubuntu) I have no idea how to set it to a lower value.

The same error occurs using curl unless --ciphers 'DEFAULT:!DH' parameter is provided, so I assume the root cause of the problem is within the operating sysem itself.

I do not control the website's server, so changing its security settings is a no go.

What I've tried so far from C# side:

serviceCollection.AddHttpClient<IInterface, IImplementation>()
                             .ConfigureHttpMessageHandlerBuilder(messageHandlerBuilder =>
                             {
                                 messageHandlerBuilder.PrimaryHandler = new HttpClientHandler
                                 {
                                     ServerCertificateCustomValidationCallback = (m, c, ch, e) => true
                                 };
                             });

and

using var httpClient = new HttpClient();
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

var websiteContent = await httpClient.GetStreamAsync(url);

Security is not much of an issue in this case so I'm ok with using any dirty hack here.

Any help would be much appreciated.

score 12 · Accepted Answer · answered May 02 '20 at 15:23

12

Thanks to the answer received on Ask Ubuntu I managed to fix the issue by:

copying openssl.cnf file
Adding openssl_conf = default_conf at the top of the copied file
Adding at the end:

    [ default_conf ]

    ssl_conf = ssl_sect

    [ssl_sect]

    system_default = ssl_default_sect

    [ssl_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT:@SECLEVEL=1

Running the project with OPENSSL_CONF environmental variable set to path to the altered config file

answered May 02 '20 at 15:23

Łukasz Sypniewski

602
1
10
19

1

Thanks! That fixed it for me. After upgrading from Ubuntu 18.04 LTS to 20.04 LTS my wget refused to connect to a server I had previously copied files from. With this modification of openssl.cnf it works again. – Norbert S May 30 '20 at 01:41
1

New install of Ubuntu Server 20.04. PHP Curl was throwing this error. Added the above to openssl.cnf and it worked. Thanks! – uPrompt Jun 22 '20 at 14:05

.NET Core - HTTPClient - dh key too small on Ubuntu 20.04

1 Answers1