runtime: SSL connection could not be etablished

@RyanFarrah commented on Sat Jun 16 2018

System

OS : Ubuntu 16.04 x86_64 .Net Core : 2.1.3

Problem

I meet an error that says

SSL connection could not be etablished, see inner exception

Details

It occurs several times and in mulitple context in my project.

I follow this tutorial : https://docs.microsoft.com/fr-fr/dotnet/csharp/tutorials/console-webapiclient.

It occurs when i tried to put

   <ItemGroup>
      <PackageReference Include="System.Runtime.Serialization.Json" Version="4.3.0" />
   </ItemGroup>

in my csproj.

When I install certain packages with dotnet CLI.

When I write this code :

        private static async Task ProcessRepositories()
        {
            client.DefaultRequestHeaders.Accept.Clear();
            client.DefaultRequestHeaders.Accept.Add(
                new MediaTypeWithQualityHeaderValue("application/vnd.github.v3+json"));
            client.DefaultRequestHeaders.Add("User-Agent", ".NET Foundation Repository Reporter");

            var stringTask = client.GetStringAsync("https://api.github.com/orgs/dotnet/repos");
        }

No errors. But

        private static async Task ProcessRepositories()
        {
            client.DefaultRequestHeaders.Accept.Clear();
            client.DefaultRequestHeaders.Accept.Add(
                new MediaTypeWithQualityHeaderValue("application/vnd.github.v3+json"));
            client.DefaultRequestHeaders.Add("User-Agent", ".NET Foundation Repository Reporter");

            var stringTask = client.GetStringAsync("https://api.github.com/orgs/dotnet/repos");

            var msg = await stringTask;
            Console.Write(msg);
        }

throws me the error.

Backup solution and related issues

The solution was to downgrade to .Net Core 2.0.0 for me.

I have not tested in different machines but the problem is the same with these issues :

• https://github.com/Tyrrrz/YoutubeExplode/issues?utf8=✓&q=is%3Aissue+is%3Aclosed+ssl
• https://github.com/dotnet/core/issues/1668

---

@leecow commented on Wed Jun 20 2018

cc @muratg

If it’s the same problem, there may be an issue with the SocketsHttpsHandler in that sample. Have a look at the workarounds detailed in https://blogs.msdn.microsoft.com/dotnet/2018/04/11/announcing-net-core-2-1-preview-2/.

---

@leecow commented on Fri Jun 22 2018

@RyanFarrah - let me know if setting the environment variable resolves the error for you.

export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

---

@mattnewell commented on Sat Jun 23 2018

@leecow - I’m trying to work up a repro, but I thought I would share that we are also seeing a similar issue in the field that is resolved by setting DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=false.

In our case we’re on Windows 2016, and SDK 2.1.300. Exception snippet:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. 
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. 
---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)

In this case, we’re trying to connect to a host with a very limited set of cipher suites. Maybe a factor? I’ll dig in …

---

@leecow commented on Mon Jun 25 2018

@muratg

---

@muratg commented on Mon Jun 25 2018

@Tratcher @halter73 could you guys take a look?

---

@mattnewell commented on Mon Jun 25 2018

FYI – I did spend a number of hours tying to repro this. I can force the exception 100% of the time, but only in an expected scenario. Consider a host that supports only TLS 1.0. If I set the following registry value, the exception above is thrown. Duh.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000

If I then set DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=false, I get a different inner exception, given the different underlying implementation, but again this is expected.

I’m not sure I’m getting full information from our customer in the field. I know that they are editing these types of registry keys, unfortunately. There may be something here, but I can’t find the smoking gun. Apologies.

---

@halter73 commented on Mon Jun 25 2018

I don’t think I’ve seen this particular issue before. @mattnewell what kind of server are you trying to connect to? Is it running ASP.NET Core 2.1.x?

---

@mattnewell commented on Mon Jun 25 2018

The client is Core 2.1.300. The server is some “random” host on the internet, for all intents. For my particular test I was using NGINX configured to only support TLS 1.0.

---

@Tratcher commented on Mon Jun 25 2018

The No Errors example never awaits stringTask, so it would never observe an error that was thrown asynchronously.

What’s the full exception and stack trace?

If it’s broken by adding a single dependency then it’s likely that your dependency graph is trying to pull in two conflicting versions of something.

---

@mickaelistria commented on Tue Jul 10 2018

I get the same issue with dotnet core 2.1.300, extracted from the zip, on Fedora 28. The issue manifests itself simply with a dotnet restore.

$ dotnet restore
  Restoring packages for /home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/ConsoleDotNet.csproj...
/home/mistria/apps/dotnet-sdk-2.1.300-linux-x64/sdk/2.1.300/NuGet.targets(114,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/ConsoleDotNet.csproj]
/home/mistria/apps/dotnet-sdk-2.1.300-linux-x64/sdk/2.1.300/NuGet.targets(114,5): error :   The SSL connection could not be established, see inner exception. [/home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/ConsoleDotNet.csproj]
/home/mistria/apps/dotnet-sdk-2.1.300-linux-x64/sdk/2.1.300/NuGet.targets(114,5): error :   error:2006D002:BIO routines:BIO_new_file:system lib [/home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/ConsoleDotNet.csproj]

If I set DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=false, things work better

$ DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=false dotnet restore
  Restoring packages for /home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/ConsoleDotNet.csproj...
  Installing Microsoft.NETCore.DotNetAppHost 2.0.0.
  Installing Microsoft.NETCore.DotNetHostResolver 2.0.0.
  Installing NETStandard.Library 2.0.0.
  Installing Microsoft.NETCore.DotNetHostPolicy 2.0.0.
  Installing Microsoft.NETCore.App 2.0.0.
  Generating MSBuild file /home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/obj/ConsoleDotNet.csproj.nuget.g.props.
  Generating MSBuild file /home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/obj/ConsoleDotNet.csproj.nuget.g.targets.
  Restore completed in 4.54 sec for /home/mistria/junit-workspace/csprojWithError_org.eclipse.acute.tests.TestLSPIntegration_1531236189153/ConsoleDotNet.csproj.

---

@Eilon commented on Wed Jul 11 2018

@Petermarcu this issue appears to be related to errors in the client, not the server (the server isn’t ASP.NET Core).