runtime: SSL RemoteCertificateNameMismatch on MacOS Catalina

I am using Proxyman to decrypt https traffic from my self-contained netcore 3.0 console app on macOS. Like using Fiddler on Windows.

I am getting System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. with inner exception System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure when the proxy is on.

I added a customize ServerCertificateCustomValidationCallback to dump out the ssl error, request url and the certificate.

sslPolicyErrors: RemoteCertificateNameMismatch

HttpRequestUri: https://pipelines.actions.githubusercontent.com/WoxlUxJHrKEzIp4Nz3YmrmLlZBonrmj9xCJ1lrzcJ9ZsD1Tnw7/_apis/connectionData?connectOptions=1&lastChangeId=-1&lastChangeId64=-1

Certificate:
[Version]
  V3

[Subject]
  OU=https://proxyman.io, CN=*.actions.githubusercontent.com, O="GitHub, Inc.", L=San Francisco, C=US
  Simple Name: *.actions.githubusercontent.com
  DNS Name: *.actions.githubusercontent.com

[Issuer]
  OU=https://proxyman.io, CN="Proxyman CA (1 Nov 2019, htl-mac.local)", O=Proxyman Ltd, L=Singapore, C=SG
  Simple Name: Proxyman CA (1 Nov 2019, htl-mac.local)
  DNS Name: Proxyman CA (1 Nov 2019, htl-mac.local)

[Serial Number]
  00EE6265BFC8F6A251

[Not Before]
  11/1/2019 2:15:21 PM

[Not After]
  2/3/2022 1:15:21 PM

[Thumbprint]
  D1657538605625A0D41B7195CCF80806682374DA

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 3082010A0282010100E2788EC7C9FF6705B22295EB4782FAE49DC259B7A0C6C80A655BF6AC330E4449BEC11D2835AF4D2C855D39B0E0472A72500B38AA44D64F6250581DBCC937153306976B00EBAAEA864C08D5F4CAC13D445DF5FE2F18DC528FA01B8C82CA85899E1064DED6905A867032C38CE18B6B5E01870533C5B53F56F6D081D3FBADC2FC8DA5843FBC4D6E1146A7E0E2791802167EF09D890288E13876B8C0FDDE8FAF3719981745BB983C6393A569CF768146DB3F0E8264D5E0084EAD2471D6131E9C5FFC6DE0C53FE7566323746716809D4245C3B585220B9B3378418131BBE92DFAE8CFB511AF7CCEA12312A80F5BAB5F52FF39C76D4B5EA7BCAC6215DEDD7F935EB8D90203010001
  Parameters: 0500

[Extensions]
* X509v3 Key Usage(2.5.29.15):
  030204F0
* (2.5.29.17):
  DNS:*.actions.githubusercontent.com, DNS:actions.githubusercontent.com

The request url’s authority seems match with the cert’s CN. If i export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 to force my app use the old curl http handler, the SSL error goes away. So I am not sure why I am getting SSL error on when use SocketHttpHandler.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 16 (12 by maintainers)

Most upvoted comments

I can reproduce it on Catalina. I will take a look.

+2
wfurt on Dec 10, 2019

Proxyman fixed their CA cert and server certs when decrypt https traffic. This issue can be resolved now. Thanks @wfurt

+1
TingluoHuang on Jan 4, 2020
Read more comments on GitHub
← runtime: SSL connection could not be etablished
runtime: SSL RemoteCertificateNameMismatch when targeting net8.0 →