runtime: SslStream throws when using (some?) OpenSSL self-signed certificates

[Edit - amcasey] See revised repro steps.

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

Kestrel reads from .pfx file which is generated using openssl on Ubuntu 22.10. No problem running the application on Ubuntu with the SAME cert.

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCH_CREDENTIALS* scc)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCH_CREDENTIALS* secureCredential)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchCredentials(SslAuthenticationOptions authOptions)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.AcquireCredentialsHandle(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.AcquireServerCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SslStream.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
   at System.Net.Security.SslStream.NextMessage(ReadOnlySpan`1 incomingBuffer)
   at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](CancellationToken cancellationToken)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
{"@timestamp":"2023-03-06T17:35:55.5567570+08:00","level":"Debug","messageTemplate":"Failed to authenticate HTTPS connection.","message":"Failed to authenticate HTTPS connection.","exceptions":[{"Depth":0,"ClassName":"System.Security.Authentication.AuthenticationException","Message":"Authentication failed, see inner exception.","Source":"System.Net.Security","StackTraceString":"   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslAuthenticationOptions sslAuthenticationOptions)\r\n   at System.Net.Security.SslStream.AcquireCredentialsHandle(SslAuthenticationOptions sslAuthenticationOptions)\r\n   at System.Net.Security.SslStream.AcquireServerCredentials(Byte[]& thumbPrint)\r\n   at System.Net.Security.SslStream.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)\r\n   at System.Net.Security.SslStream.NextMessage(ReadOnlySpan`1 incomingBuffer)\r\n   at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)\r\n   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](CancellationToken cancellationToken)\r\n   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)\r\n   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)","RemoteStackTraceString":null,"RemoteStackIndex":0,"HResult":-2146233087,"HelpURL":null},{"Depth":1,"ClassName":"System.ComponentModel.Win32Exception","Message":"The credentials supplied to the package were not recognized","Source":"System.Net.Security","StackTraceString":"   at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCH_CREDENTIALS* scc)\r\n   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCH_CREDENTIALS* secureCredential)\r\n   at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchCredentials(SslAuthenticationOptions authOptions)\r\n   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslAuthenticationOptions sslAuthenticationOptions)","RemoteStackTraceString":null,"RemoteStackIndex":0,"HResult":-2147467259,"HelpURL":null}],"fields":{"EventId":{"Id":1,"Name":"AuthenticationFailed"},"SourceContext":"Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware","ConnectionId":"0HMOU4OJN0ES5"}}

.NET Version

7.0.201

Anything else?

No response

About this issue

Original URL
State: closed
Created a year ago
Comments: 33 (22 by maintainers)

Most upvoted comments

Only 5 and 6 are used.

khteh on Mar 31, 2023

openssl genrsa -aes256 -passout pass:<password> -out server.key 4096
openssl rsa -in server.key -out server.key.insecure -passin pass:<password>
mv server.key server.key.secure
mv server.key.insecure server.key
openssl req -new -newkey rsa:4096 -x509 -nodes -days 365 -keyout server.key -out server.crt -subj "/C=SG/ST=Singapore/L=Singapore /O=My Company Pte. Ltd./OU=My Organization/CN=localhost/emailAddress=<email>" -passin pass:<password>
openssl pkcs12 -export -out /tmp/localhost.pfx -inkey server.key -in server.crt -certfile server.crt -passout pass:<password>

khteh on Mar 30, 2023

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints?view=aspnetcore-7.0#bind-to-a-tcp-socket

adityamandaleeka on Mar 7, 2023