0

From MacOS everything is fine, but in docker exceptions is thrown

Unhandled exception occurred
    System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
    ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
    ---> Interop+OpenSsl+SslException: Using SSL certificate failed with OpenSSL error - ca md too weak.
      at Interop.OpenSsl.UpdateClientCertificate(SafeSslHandle ssl, SslAuthenticationOptions sslAuthenticationOptions)
      at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Int32& consumed, SslAuthenticationOptions sslAuthenticationOptions)

I loaded certificate from hex

var handler = new HttpClientHandler
{
    ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
    {
        return true; 
    },
    ClientCertificateOptions = ClientCertificateOption.Manual,
    ClientCertificates = { cert },
    CheckCertificateRevocationList = false
};

FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
USER $APP_UID
WORKDIR /app

FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
ARG BUILD_CONFIGURATION=Debug
WORKDIR /src
COPY . .
RUN dotnet restore "src/MyProject.Proxy/MyProject.Proxy.csproj"
COPY . .
WORKDIR "/src/src/MyProject.Proxy"
RUN dotnet build "./MyProject.Proxy.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Debug
RUN dotnet publish "./MyProject.Proxy.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .

USER root
RUN sed -i \
    -e "s|^MinProtocol = .*|MinProtocol = TLSv1.0|g" \
    -e "s|^CipherString = .*|CipherString = DEFAULT@SECLEVEL=0\nOptions = UnsafeLegacyRenegotiation,UnsafelyIgnoreCertCN,UnsafelyIgnoreHostVerification|g" \
    -e "s|^VerifyCAFile =|#VerifyCAFile =|g" \
    -e "s|^VerifyMode =|#VerifyMode =|g" \
    /etc/ssl/openssl.cnf

RUN mkdir -p /usr/local/share/ca-certificates && \
    touch /usr/local/share/ca-certificates/dummy.crt && \
    update-ca-certificates

ENV DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0
ENV DOTNET_SYSTEM_NET_HTTP_SOCKETSHTTPHANDLER_INSECURE=true
ENV DOTNET_NET_HTTP_SSL_CLIENT_CERT_MODE=Ignore
ENV DOTNET_NET_HTTP_SSL_SERVER_CERT_MODE=Ignore
ENV OPENSSL_CONF=/dev/null
ENV SSL_CERT_FILE=/dev/null
ENV SSL_CERT_DIR=/dev/null

ENV DOTNET_SYSTEM_NET_HTTP_SOCKETSHTTPHANDLER_HTTP2SUPPORT=false
ENV DOTNET_SYSTEM_NET_HTTP_SOCKETSHTTPHANDLER_HTTP3SUPPORT=false

ENTRYPOINT ["dotnet", "MyProject.Proxy.dll"]

I'm containerizing a .NET 9.0 proxy application that needs to completely ignore SSL certificate validation errors when making HTTPS requests. Despite extensive configuration changes in both OpenSSL and .NET environment variables, the application still fails with certificate validation errors.

P.S. I was actually able to solve by adding this line of code

if (OperatingSystem.IsLinux())
{
  CryptoConfig.AddAlgorithm(typeof(RSACryptoServiceProvider), "System.Security.Cryptography.RSA");
  CryptoConfig.AddAlgorithm(typeof(DSACryptoServiceProvider), "System.Security.Cryptography.DSA");
}

Don't think it's a duplicate because the solution depends on the platform.

Improve this question
8
  • Why are you disabling security? Just about everyone moved to TLS 1.2 around 2016. TLS 1.0 and weaker algorithms were either disabled or removed entirely from OSs and libraries. needs to completely ignore SSL certificate that's almost never the case. If you want to use self-signed certificates, you can add them to the list of trusted certificates. If you disable validation, you might as well remove HTTPS completely. It's not used to encrypt connections, it's used to ensure there's nobody between client and server that pretends to be the server using its own certificate. Commented Aug 7 at 13:39
  • In any case, if you google the error you'll find this 6-year-old question How to fix SSL issue SSL_CTX_use_certificate : ca md too weak. The answers say what I wrote. MD5 was disabled, period. The answers also say Don't do this if you don't understand the consequences. before showing how to 1) regenerate the weak certificates or 2) If, and only if you really know what you're doing, reduce OpenSSL's security level. Which you shouldn't do Commented Aug 7 at 13:43
  • You need to use either TLS 1.2 or TLS 1.3, You are specifying TLSv1.0 which is no longer consider secure. Industry decided in 2014 to obsolete TLS 1.0 and gave industry 5 year to implement changes. Microsoft in June 2019 pushed a security update that disabled TLS 1.0 in windows servers. Commented Aug 7 at 16:49
  • Sorry, but I need to connect to government websites, and they give me a certificate. They won't give me a new one or switch to a new encryption version, so I can't re-generate the certificate Commented Aug 7 at 17:46
  • The real answer to the last comment is ... you probably guess what it is. You should probably post a question to ru.stackoverflow.com because your question is very, VERY country-specific Commented Aug 8 at 17:03
Related questions
785
pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"
570
Using openssl to get the certificate from a server
0
Docker micaut.dll.mui error while creating docker container for .net standard framework 4.8 lts
Load 2 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.