C# HttpListener (netsh) problems with SelfSigned Certificate

Question

I have some trouble with my HttpListener. I already searched and read some dicussions. For example: Httplistener with HTTPS support

Firstly I try to describe my scenario: I want to create a HTTP-Listener with SSL/HTTPS Support. Thats the main target. I used OpenSSL to create my own CA and I created my own server cert. Now I have:

myCa.key
myCa.pem
myCa.srl
myServer.key
myServer.csr
myServer.crt

I installed the myCa.pem and the myServer.crt certificate to my local computer. I moved the CA in the trusted store and the server certificate in "own certificates"

Then I took the fingerprint (certHash) of my server certificate. I created the netsh entry with admin-rights

netsh http add sslcert ipport=0.0.0.0:9649 appid= '{0a5ce-569a-4dc6-8ed7-9ef91241dec3}' certhash=4F556BDC3F97B31D555266DA74F573777FCCAA55

My C# implementation is relativly simple:

    this.Listener = new HttpListener();
    this.Listener.Prefixes.Add("https://*:9649");
    this.Listener.Start();
    this.Listener.BeginGetContext(new AsyncCallback(ProcessClient), this.Listener);

   //Process an incoming connection
   private void ProcessClient(IAsyncResult result)
   {
      var listener = (HttpListener)result.AsyncState;
      var clientContext = listener.EndGetContext(result);
   }

When I implemented SSL in my TcpStack I used a SSL-Stream and there I can validate a certificate with a ValidationCallback. Im not sure if this is possible here. I tried ServicePointManager.ServerCertificateValidationCallback += ValidateCert; But I never hit my breakpoint there.

Now to the problems:

When I try to connect with my own HttpClient (.NET HttpClient Class) I get always a RemoteNameMismatch Error on the SSL-Layer. I dont hit the breakpoint in the ProcessClient method. I tried without specific certificate (auto detection) and I tried also to advise the same certificate (with the same hash) to the client. In both cases I got the same error. I dont understand why I get any erros when I use the same certificate on the client and the server side. I always thought the netsh will compare the certhashes.

When I try a connect with Postman I hit the ProcessClient function. But Postman gets an error that he cant check the certificate. But I think the problem is that my certificate isnt a official certifcate . But the data exchange is working.

Another point is: I want to roll out my app also in containers with a unix os. .NET60 is designed for crossplatform. But whats the unix pendant to netsh? Is it possible to run my listener with https on unix? How works the mapping here between app and certificate? Maybe I have to change my technology? Alternative to HttpListener? Mainly I dont want to use thridparty stuff.

UPDATE Solution: See my answer below

Thanks for reading and for help.

Greetings

The link you provided is from 2012 and a lot has change with SSL/TLS. First SSL, TLS 1.0 and TLS 1.1 are obsolete and has been disabled on Windows Servers. So you have to use TLS 1.2 or TLS 1.3. Some encryption modes have been disabled so your certificate may not be good (see : https://en.wikipedia.org/wiki/Transport_Layer_Security?force_isolation=true). TLS is performed before the HTTP Request is sent so if you do not validate the certificate the request is never sent. Best way of determining if TLS passed is to use a sniffer. Check the TLS version and see if the request is ever sent. — jdweng, Jul 21 '22 at 10:00
TLS the client sends the request with version of TLS. Then server returns a certificate block with then names of possible certificates. The client then looks up the certificate names in the stores to find a matching certificate. A certificate is a text file with the encryption mode and expiration date. Both date and encryption mode has to be valid for the version of TLS being used. — jdweng, Jul 21 '22 at 10:03
`RemoteNameMismatch` indicates that the address you used to connect does not match the certificate. A typical case where this happens is if you connect using the machine name `MyMachine` and not using the FQDN `MyMachine.MyDomain.co.uk` — Charlieface, Jul 21 '22 at 10:10
Is it possible to set it as a wild card certificate? Then everybody in my dev-team can use the certificate. When I set it to my Computer-Name its binded to me personally. Did I understand right? Thx — On3byt, Jul 21 '22 at 14:51

On3byt · Accepted Answer · 2022-08-16T14:03:01.407

0

Like the guys said in the in comments. The FDQN was the problem. In easy words: I created my own CA and then I created a server cert signing request against the CA. Inside the server cert the CN is matching to my DNS of my personal computer. The connection with my HTTP-Listener is working now. Thank you for your help!

edited Aug 16 '22 at 14:03

answered Aug 11 '22 at 10:59

On3byt

1
2

Did the edit. Thx for the advice – On3byt Aug 16 '22 at 14:03

C# HttpListener (netsh) problems with SelfSigned Certificate

1 Answers1