runtime: SocketsHttpHandler does not take into acount new certificate authorities

From @busesorin94 on October 2, 2018 11:17

This issue only happens on .NET Core 2.1.X, when using DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=1. Steps to reproduce:

  1. Have a running application which calls a service using HTTPS for which the certificate authority is not trusted on the machine
  2. Install the new authority on the machine and run update-ca-certificates
  3. Call the service from the running .NET application

Expected behavior: The application should take into account the newly installed certificate authority, without restarting the application

Actual behavior: An exception is thrown: System.Net.Http.HttpRequestException: The SSL connection could not be established

Workaround:

  1. You can restart the application after you run the update-ca-certificates command
  2. Add the environment variable DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

Copied from original issue: aspnet/KestrelHttpServer#2972

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 17 (14 by maintainers)

Most upvoted comments

As long as that check was rate limited to once per minute or hour.

+1
Tratcher on Oct 31, 2018

How about option 5: If the CA check fails, check if the files have been updated, and if so, re-read and re-check. This would only impact perf in failure cases.

+1
geoffkizer on Oct 31, 2018
Read more comments on GitHub
← runtime: SocketsHttpHandler does not preserve request header format
runtime: SocketsHttpHandler: NTLM auth does not work by default on Unix →