I have a simple challenge as I'm working on a multi-platform project where I have a server with TLS 1.2 and a client certificate that is required to authenticate any REST API calls. This works fine on Linux, in WSL and in Docker/Linux. But not on Windows!
On Linux systems, .NET Core will use OpenSSL for the security stuff. On Windows, SChannel is used instead. And SChannel has some issues with my certificate and this specific server. Which is annoying as I have no control over the certificate, nor the server. And whomever built the server apparently never tested things properly with Windows and SChannel. (But we have requested that they fix it!) So I'm looking for an alternative...
The alternative is to just use OpenSSL instead of SChannel in Windows. So I went digging into the HttpClient code and all it's complexities with abstract classes, tasks, asynchronous code and many, many delegates and lambda function. And although I'm an expert with C# as I basically used it since 2004 or so, I still can't find a solution to tell HttpClient to explicitly use OpenSSL instead of SChannel.
Something with Ciphersuites that seem to be unused in Windows, bla, bla. It's complex and there definitely seems no simple answer for what I'm looking for. It's even more annoying to search on the Internet for solutions as many results are for .NET 4.8 or older versions, not .NET Core 6. Some 4.7 documentation does mention that the ServicePointManager will use the protocols provided by the host operating system, thus I'll end up with SChannel on Windows. Apparently, that's still true for the latest .NET versions...
[edit]
Internet Explorer might be obsolete, but it shows the problem with SChannel as Chrome, Edge and other browsers use different libraries, not SChannel. And yes, TLS1.2 is used here, and all ciphersuites have been activated on my Windows system, yet it still won't accept it. Tried a lot to get IE to accept the site and none worked. So I want to work around SChannel or else I have to scrap using .NET as development environment for this project.
How to use OpenSSL with TLS in .NET Core on Windows?
2.3k views Asked by Wim ten Brink At
1
Not saying it's impossible, but windows SSL functionalities are built entirely around SChannel thus the nightmare you are running into trying to replace it. You may want to look at a different route which is a hack and something that goes against best practices in HTTPS/SSL code....
Being your cert is more or less FUBAR and you don't have control of it. Best practices go out the window...
You could use the certificate validation callback, if your certificate matches the attributes you are interested in, accept it and return true. Just don't auto accept anything as shown in most examples as that's a huge security hole. This should get around whatever SChannel is complaining about and allow you to accept the cert until they fix it.
Just out of curiosity what error is it throwing?