1

.NET 5 has breaking changes with TLS. So when I'm connecting to a website (via HttpClient) and it does not support TLS 1.3 (which is the default for .NET5), I get the following error: Interop+Crypto+OpenSslCryptographicException: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type.

I wonder if I will BITOR the ServicePointManager.SecurityProtocol: ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls13 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls; will it resolve to giving the webserver the correct cipher suites?

Amit Dash
  • 584
  • 8
  • 21
Jesse Gador
  • 77
  • 7

1 Answers1

0

Here's a discussion on github: https://github.com/dotnet/runtime/issues/22507

Based off from that, here's my solution. I had to read tons of github discussions as well as going through the runtime repo.

// Windows OS throws PlatformNotSupportedException for explicit list of TlsCipherSuite
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
    services.AddHttpClient("WebsiteCheck"), configureClient =>
    {
        configureClient.Timeout = TimeSpan.FromMinutes(1);
    });
}
else
{
    services.AddHttpClient("WebsiteCheck"), configureClient =>
    {
        configureClient.Timeout = TimeSpan.FromMinutes(1);
    }).ConfigurePrimaryHttpMessageHandler(() =>
    {
        var allowedCipherSuites = Enum.GetValues<TlsCipherSuite>();

        return new SocketsHttpHandler()
        {
            SslOptions = new()
            {
                CipherSuitesPolicy = new CipherSuitesPolicy(allowedCipherSuites)
            }
        };
    });
}
Jesse Gador
  • 77
  • 7