0

.NET version is 4.6.2 and The version of VaultSharp package being used is VaultSharp.1.4.0.1

Code:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | 
                                       SecurityProtocolType.Tls12 |
                                       SecurityProtocolType.Tls11 |
                                       SecurityProtocolType.Tls | (SecurityProtocolType)3072 | 
                                       (SecurityProtocolType)768 | 
                                       (SecurityProtocolType)192;  ;

string certificatePath = "cert.pfx";
string secretServerAddress = "https://vaultHotName:443";
var certificate = new X509Certificate2(certificatePath, "Password", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);


HttpClient httpClient = null;
IVaultClient vaultClient = null;
bool enableProxy = true;
if (enableProxy)
{
    HttpClientHandler handler = new HttpClientHandler
    {
        Proxy = new WebProxy("proxyHostName", "443"),
        UseProxy = true
    };
    httpClient = new HttpClient(handler);
}

IAuthMethodInfo authMethod = new CertAuthMethodInfo(clientCertificate: certificate, roleName: vaultRole);
var vaultClientSettings = new VaultClientSettings(secretServerAddress, authMethod);
if (httpClient == null){
    vaultClient = new VaultClient(vaultClientSettings);
}
else
{
    vaultClient = new VaultClient(vaultClientSettings, httpClient);
}
var vaultClientRequired = vaultClient;
secretFullPath = "RandomPath"
Task<Secret<Dictionary<string, object>>> fetchSecretTask = vaultClientRequired.V1.Secrets.KeyValue.V1
                    .ReadSecretAsync(path: secretFullPath);

Error: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

Stack Trace:

-> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at VaultSharp.Core.Polymath.<MakeRequestAsync>d__16`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at VaultSharp.Core.Polymath.<MakeVaultApiRequest>d__14`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at VaultSharp.V1.AuthMethods.Cert.CertAuthMethodLoginProvider.<GetVaultTokenAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at VaultSharp.Core.Polymath.<MakeVaultApiRequest>d__14`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at VaultSharp.V1.SecretsEngines.KeyValue.V1.KeyValueSecretsEngineV1Provider.<ReadSecretAsync>d__3`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at VaultSharp.V1.SecretsEngines.KeyValue.V1.KeyValueSecretsEngineV1Provider.<ReadSecretAsync>d__2.MoveNext()<---

Debugging Details

  1. I was trying to hit Vault to read secret from C# code, but it is showing me this error. I already tried whatever I could find on internet, but still I am at same the state.

  2. As a result it should be successfully reading secret.

  3. This code is working fine on local, but on QA/Prod it is not.

  4. This code is working via curl command successfully. With C# code, i am seeing error.

hacksdump
  • 71
  • 2
  • 5
  • On your QA/Prod, make sure the SSL certificate is installed and working correctly for your application. – Rahul Sharma Jul 09 '23 at 10:30
  • 2
    What version of Windows is the server running? Do not mess around with `ServicePointManager`, instead rely on the operating system to sort out encryption. – Charlieface Jul 09 '23 at 12:11
  • @Charlieface the server is internally managed and i donot have any access to it, i can share what version windows on client is running if that helps ? Also, this code is working via curl command. With C# code, i am seeing error. – hacksdump Jul 10 '23 at 20:51
  • @RahulSharma Can you share more details around checking if SSL certificate is installed correctly? Also, i have to check this on client end right ? – hacksdump Jul 10 '23 at 20:53
  • The client and the server will negotiate the encryption protocols and ciphers and what not automatically, I don't think you should interfere with it. This is clearly an SSL/TLS error, you should try getting a list of the protocols and ciphers supported by the server you're trying to connect to. One thing bugging me is that SSL3, TLS1.2 & TLS 1.1 have all been deprecated. – Bernardo Marques Jul 26 '23 at 10:16
  • I checked both server and client allows TLS 1.2. – hacksdump Jul 27 '23 at 22:37

0 Answers0