Kestrel not returning full certificate chain .NET 6
Hi all ๐
TL;DR
It looks Kestrel doesn't return the full certificate chain in .NET 6
I have a bit of a strange problem, maybe someone has run into this before ๐
Part 1/2:
Background
I am working on some client libraries that integrate into an asp.net core application and am seeing some strange behaviour around mTLS.
The service is a relatively simple RESTful API for which I use mTLS to authenticate client/server when clients interact with it.
Until recently, I have only had a cli tool able to interact with the service, which itself is written using the same .NET SDK and is shipped with the service - the .NET cli tool has been using mTLS to authenticate with the service absolutely fine for a while (I have several test suites around this).
Problem
I am now developing a typescript client, which runs inside a vscode via an extension I am working on, but the TS client is having issues talking to the server as the server does not seem to be returning the full certificate chain, causing the TS client to throw an error.
The error the TS client throws is the following:
unable to verify the first certificate1 Reply
Part 2/2
Some details about the environment:
Service
1. Server certificate type: PKCS12, provided to Kestrel
2. Runs in a container
2. Openssl version:
OpenSSL 1.1.1k FIPS 25 Mar 2021
3. .NET version: 6.0.417
.NET CLI
1. Native executable
2. Client certificate in PKCS12 format
3. Openssl version: OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)
4. .NET version: 6.0.417
Typescript Client
1. Runs in vscode (as an extension) - fails on Windows and Linux
2. Node version: v18.16.0
3. Openssl version: OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023) (note that it runs on the same machine as the .NET cli)
I have found several issues online about this, notably:
- https://github.com/dotnet/aspnetcore/issues/10971
- https://github.com/dotnet/aspnetcore/issues/36202
- https://github.com/dotnet/aspnetcore/issues/43193
From what I understand this is known defect at this point, at least in .NET 6, but it's quite unclear to me whether it is address in either .NET 7 or .NET 8. Does anyone have any knowledge in this area, or have any idea where I might find some notes on this being addressed?
Thanks in advance ๐GitHub
SSL Certificate chain not sent when signed by one or more Intermedi...
I am setting up SSL on my Kestrel Linux server using .NET Core 2.1.1. The SSL certificate is signed by an intermediate CA. The SSL certificate contains intermediate and root CA. I load the pfx file...
GitHub
Kestrel on Debian/Ubuntu not sending private intermediate cert ยท Is...
Is your feature request related to a problem? Please describe. I'm having a TLS keypair (site.key, site.crt) issued by an internal intermediate CA which in turn is issued by an internal root CA...
GitHub
Full chain support followup ยท Issue #43193 ยท dotnet/aspnetcore
See #41944 (comment) Some followup questions/work: from @bartonjs In this if block, you could just make certificate be fullChain[0] (assuming it's non-empty), and then you could remove certific...