Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpListener on Linux returns disposed client certificate #33288

Closed
martin-frydl opened this issue Mar 6, 2020 · 4 comments
Closed

HttpListener on Linux returns disposed client certificate #33288

martin-frydl opened this issue Mar 6, 2020 · 4 comments
Labels
area-System.Net
Milestone
5.0.0

Comments

@martin-frydl
Copy link
Contributor

When I create HttpListener for SSL on Linux and send client certificate to it, HttpListenerRequest.GetClientCertificate() returns disposed object and so invocation of any of the methods throws exception:

System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle.
at System.Security.Cryptography.X509Certificates.X509Certificate.ThrowIfInvalid()
at System.Security.Cryptography.X509Certificates.X509Certificate.get_Subject()

The reason is that validation callback passed to SslStream (RemoteCertificateValidationCallback) receives certificate that is disposed by caller (SecureChannel.VerifyRemoteCertificate()) just after validation (it adds it to chain which is disposed after validation). Unfortunately, the implementation of callback in HttpConnection constructor saves the received certificate to field to be later presented as result of GetClientCertificate().

Currently I see no other way how to get the working certificate than to use reflection to dig into the internal objects to get underlying SslStream which has correct certificate in RemoteCertificate property.
@Dotnet-GitSync-Bot Dotnet-GitSync-Bot added area-System.Security untriaged New issue has not been triaged by the area owner labels Mar 6, 2020
@davidsh
Copy link
Contributor

davidsh commented Mar 6, 2020

With .NET Core, HttpListener on Linux does NOT support TLS/SSL. This is a known feature limitation.

We recommend you using ASP.NET Core server 'Kestrel'.

@davidsh davidsh added area-System.Net and removed untriaged New issue has not been triaged by the area owner area-System.Security labels Mar 6, 2020
@davidsh davidsh added this to the 5.0 milestone Mar 6, 2020
@davidsh
Copy link
Contributor

davidsh commented Mar 6, 2020

Duplicate of #19752

@davidsh davidsh marked this as a duplicate of #19752 Mar 6, 2020
@davidsh davidsh closed this as completed Mar 6, 2020
@martin-frydl
Copy link
Contributor Author

First, we have WHOLE application built on HttpListener. Second, we've made that mistake to port from .NET framework to .NET core instead of rewriting everything to Java (we should not use .NET in the first place though). Third, I was unable to find ANY documentation how to use Kestrel other than ASP.NET pages - zillions of tutorials for the same. I want servlet API with full access to certificates, request, responses... Just like old HttpListener. And last, it IS usable for SSL right now, just via reflection.

@davidsh
Copy link
Contributor

davidsh commented Mar 6, 2020

Kestrel documentation is here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1

If you have additional questions on Kestrel, you can open an issue at dotnet/aspnetcore repo.

@Tratcher @anurse

@ghost ghost locked as resolved and limited conversation to collaborators Dec 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net
Projects
None yet
Milestone
5.0.0
Development

No branches or pull requests
3 participants
@davidsh @martin-frydl @Dotnet-GitSync-Bot