5

I'm having a difficult time finding out how to fix this issue as it only happens in a Azure Linux app service. Locally (win10) and in Azure Windows app service, no problems.

The app is ASP.NET Core 3.1 and I've created a custom service as an HttpClient:

        private readonly HttpClient _client;

        public NPIApiService(HttpClient client)
        {
            _client = client;
            _client.BaseAddress = new Uri("https://npiregistry.cms.hhs.gov/api/");
        }

        public class AllowCertsMessageHandler : HttpClientHandler
        {
            public AllowCertsMessageHandler()
            {
                this.ClientCertificateOptions = ClientCertificateOption.Manual;
                this.ServerCertificateCustomValidationCallback = (requestMessage, cert, certChain, policyErrors) =>
                {
                    return true;
                };
            }
        }

        public async Task<NPIResult> LoadNPI(string npi)
        {
            var response = await _client.GetAsync(new Uri($"?version=2.1&number={npi}", UriKind.Relative), HttpCompletionOption.ResponseContentRead);
            if (response.IsSuccessStatusCode)
            {
                var rawstring = await response.Content.ReadAsStringAsync();
                return System.Text.Json.JsonSerializer.Deserialize<NPIResult>(rawstring);
            }

            return null;
        }

Note the AllowCertsMessageHandler: I've added this as a hopeful workaround but to no avail.

            services.AddHttpClient<Services.NPIApiService>()
                .ConfigurePrimaryHttpMessageHandler(() =>
                {
                    return new HttpClientHandler()
                    {
                        ClientCertificateOptions = ClientCertificateOption.Manual,
                        ServerCertificateCustomValidationCallback = (requestMessage, cert, certChain, policyErrors) =>
                        {
                            return true;
                        }
                    };
                });

The code above works well everywhere I've tried, except specifically in Azure Linux App Service.

Stack trace of exception:

2020-06-10T19:18:31.232053228Z: [INFO]  [40m[32minfo[39m[22m[49m: System.Net.Http.HttpClient.NPIApiService.LogicalHandler[100]
2020-06-10T19:18:31.232121130Z: [INFO]        Start processing HTTP request GET https://npiregistry.cms.hhs.gov/api/?version=2.1&number=1316923212
2020-06-10T19:18:31.233564068Z: [INFO]  [40m[32minfo[39m[22m[49m: System.Net.Http.HttpClient.NPIApiService.ClientHandler[100]
2020-06-10T19:18:31.233584268Z: [INFO]        Sending HTTP request GET https://npiregistry.cms.hhs.gov/api/?version=2.1&number=1316923212
2020-06-10T19:18:31.387040818Z: [INFO]  [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
2020-06-10T19:18:31.387088119Z: [INFO]        An unhandled exception has occurred while executing the request.
2020-06-10T19:18:31.388164847Z: [INFO]  System.Net.Http.HttpRequestException: **The SSL connection could not be established, see inner exception.**
2020-06-10T19:18:31.388184048Z: [INFO]   ---> System.Security.Authentication.AuthenticationException: **Authentication failed, see inner exception.**
2020-06-10T19:18:31.388194148Z: [INFO]   ---> Interop+OpenSsl+SslException: **SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.**
2020-06-10T19:18:31.389275477Z: [INFO]   ---> Interop+Crypto+OpenSslCryptographicException: **error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small**
2020-06-10T19:18:31.389293777Z: [INFO]     --- End of inner exception stack trace ---
2020-06-10T19:18:31.394673519Z: [INFO]     at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
2020-06-10T19:18:31.394697020Z: [INFO]     at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
2020-06-10T19:18:31.394708120Z: [INFO]     --- End of inner exception stack trace ---

I've tried making some changes to openssl.conf as well, but didn't seem to make any difference.

This is my first go at an app that was presumably x-platform compatible, so I'm still learning. I'm pretty sure this is environment related, but I welcome any suggestions.

Thanks in advance...

Jason
  • 91
  • 1
  • 7
  • 1
    Some additional context: It appears this particular site I am connecting to, is using obsolete connection settings and maybe the app service is blocking because of this? _The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_128_GCM. RSA key exchange is obsolete. Enable an ECDHE-based cipher suite._ Shouldn't the linux app support it if the windows version does? – Jason Jun 11 '20 at 17:14
  • any update on this? seeing same thing – Dan Parker Mar 23 '21 at 15:02
  • 1
    @DanParker, I never got an answer from anywhere on this. I ended up using the windows app service. – Jason Mar 24 '21 at 18:42
  • I talked with support and they were trying to set the level of security for that SSL cypher, but they couldn't. They thought that maybe the 3rd party wasn't using TSL 1.2, but they were. Support suggested to then go back to Windows host which we did. – Dan Parker Mar 25 '21 at 18:57
  • This might be relevant, but not sure how Core 3.1 relates to this. https://learn.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux – Eric Smekens Feb 16 '22 at 15:52
  • Having the same issue. Certificates exist under /var/ssl/certs. Just not working on Linux. – Heinzlmaen Jan 10 '23 at 07:01

0 Answers0