I have a Blazor WASM Application that shall be hosted inside the Backend that is implemented using gRPC on ASP.NET with .NET 5.0. When I try to debug the WASM application and as soon as the debugging Browser starts I get this error:
fail: Microsoft.AspNetCore.Server.Kestrel[0]
HTTP/2 over TLS was not negotiated on an HTTP/2-only endpoint.
All development certificates are installed and trusted and the websocket connection is established using wss:// scheme. So from my point of view the TLS negotiation should succeed.
I already found out that I can workaround that to a certain point by changing the Kestrel endpoint settings to use Http1AndHttp2 the problem then becomes that the gRPC connection from the frontend to the backend fails because of the downgrade to Http/1.
So my question is: Is there any option to debug Blazot WASM when using an Http/2 server on the hosting site?
If this is not possible: Can I determine somehow that the gRPC endpoints get delivered using HTTP/2 and the debugging endpoints via HTTP/1.1?
Here are some tips for checking TLS negotiation limitation on Http/2:
TLS version 1.2 or later
Renegotiation disabled
Compression disabled
Minimum ephemeral key exchange sizes:
Elliptic curve Diffie-Hellman (ECDHE) [RFC4492]: 224 bits minimum
Finite field Diffie-Hellman (DHE) [TLS12]: 2048 bits minimum
Cipher suite not prohibited.
So the solution is quitq simple: I used the wrong package. When using Blazor with gRPC the Grpc.Client.Net.Web package must be used (as stated in this article: https://learn.microsoft.com/en-us/aspnet/core/grpc/browser?view=aspnetcore-6.0#configure-grpc-web-with-the-net-grpc-client).
Then you do not have to use HTTP/2 and everything works like a charm.
Related
I have a Blazor Server Application that is invoking a 3rd party API using IHttpClientFactory. When I execute the calling code on my local Windows 11 machine I receive the exception below. However, If I run the same code from an Azure Web App, the API is called successfully.
Error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: '112'.
I have attempted setting the Security protocol to TLS1.2 using the ServicePointManager, however, this does not make a difference. I have run Wireshark to glean some additional information, but all I can see is that my machine is initiating the call with TLS 1.2.
Does anyone have an idea as to why my code works in Azure, but not in my local development environment?
According to the behavior in azure web app, I think the issue should related to environment.
And if you have another os version pc, you can test it, and it should be work normally.
And I found the workaround in win11. You can add the registry key and removed the code to set the protocol to TLS1.2, and the TLS handshake worked from your Windows 11 system.
Trying to use ruby GRPC client to connect to a go GRPC server. The server uses TLS credentials with self signed certificates. I have trusted the certificate on my system (ubuntu 20.04) but still getting Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
Only way this is working is by manually setting GRPC::Core::ChannelCredentials.new(File.read(cert_path)) when initializing the client. Another workaround is setting :this_channel_is_insecure, but this only works if I remove TLS credentials in the server altogether (which I do not want).
Is there any way to get the GRPC client to work with the system certs?
I assume the gem is using roots.pem and trying to override that using GRPC::Core::ChannelCredentials.set_default_roots_pem results in Could not load any root certificate.
Also, I have not found any parameter that would let me skip certificate verification.
The default root location can be overridden using the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable pointing to a file on the file system containing the roots. Setting GRPC::Core::ChannelCredentials.new(File.read(cert_path)) also seems fine to me.
In Ruby, most likely the feature to skip cert verification in TLS is not supported. We have the corresponding feature supported in underlying core, but it might not be plumbed to Ruby yet(at least not that I am aware of). If you need that, feel free to open a feature request to in gRPC Github page.
Thank you!
we are running a Dotnet Core 3.0 application that provides a web api via Kestrel. By default Kestrel has set available protocols to Protocols.Http1AndHttp2.
On one of our testmachines it turned out that http/2 does not work in combination with Google Chrome (77.0.3865.90). The browser displays an error with ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY message. The fallback to http1 does not work in this case because the browser does support http/2 in general.
Microsoft Edge btw. does support requesting the same endpoint via http/2.
I tested the certificate on my develop machine and it turns out that this works as expected. So it does not seem to be a problem with the certificate itself rather than the server hosting the application. My local machine is running Windows 10 Pro (1903). The server is running Windows Server 2012 R2 Datacenter (6.3.9600).
The application will be hosted at our customers servers as a self contained package and we will not have an impact on what servers the api will be running.
Instead of disabling http/2 completely, we would like to check if all browsers will accept the provided certificate in combination of http/2. I'm not sure how to find this out on server side. To us it seems to be some kind of problem regarding to the provided cipher suites but I got no idea on how to check the compatibility on server side.
Does anyone have an idea on how to check the compatibility?
It’s not the certificate it’s the cipher suites.
Run your site through this tool: https://www.ssllabs.com/ssltest/ (or download and use https://testssl.sh if not publicly available, internal site) and you’ll see the cipher suites configured.
HTTP/2 blacklists older ciphers and Chrome won’t use HTTP/2 if those are configured. The list is here: https://www.rfc-editor.org/rfc/rfc7540#appendix-A but basically you probably should be using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for Chrome.
This post tells you how to change them for IIS: https://medium.com/#rootsecdev/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5ea
I have an Authentication service built on Identity Server 3 and a set of WebAPI services using BearerTokenAuthentication. On startup, each of the WebAPI services makes a call to the Authentication service's .well-known/openid-configuration. That has been working fine until we recently configured the firewall between the WebAPI services and the Authentication service to only allow traffic with the TLS 1.2 protocol. Now the WebAPI services all fail to start and report that they cannot access the Authentication .well-known/openid-configuration because they "Could not create SSL/TLS secure channel".
Update: The problem described is occurring in my Test environment and is eliminated when we modify the firewall to allow TLS 1.0. In my Dev and Staging environments, the firewall is configured to require TLS 1.2 and that configuration is not producing the above symptoms. Something else is different. I just haven't figured out yet what it is.
Based on this latest update, I have a different question. Any suggestions on what to look for in the server/environment that would cause the TLS 1.2 requirement not to work in one environment while working in the other two? I've started to look at the registry settings that control the server's use of SSL and TLS protocols, but haven't found a difference there when comparing a working server to the non-working one.
Final Update: I never did figure out what was different. Someone from the systems group rebuilt the Test server, which was exhibiting the problem, by cloning the Staging server, which was not exhibiting the problem. The rebuilt server handles TLS 1.2 just fine. So it was clearly something in the server, not the code. But that's about all we know.
What is the reason for two separate but similar servers?
What are the differences?
Can I run both in docker?
Do both support same things, like all authentication types?
Kestrel vs HTTP.sys - I've highlighted the fundamental differences below.
(The words are Microsoft's and I've only edited it for brevity and clarity. See the sources linked at the bottom).
Update:
Kestrel previously always required the use of a reverse proxy with edge deployments (exposed to traffic from the Internet) for security reasons. With Kestrel in ASP.Net Core 2.x this is no longer the case. Take a look at the documentation for more information. Kestrel Web Server Documentation
Weblistener was renamed HTTP.sys in ASP.NET Core 2.0
Sources:
Docs.Microsoft.com Web server implementations in ASP.NET Core
Docs.Microsoft.com HTTP.sys web server implementation in ASP.NET Core
HTTP.sys is windows-only HTTP / Web Server for ASP.NET Core that allows you to expose the server directly to the Internet without needing to use IIS. HTTP.sys is built on top of Http.Sys ( the same mature technology that also powers IIS' HTTP Listener) as is as such very feature rich and provides protection against various attacks.
Kestrel on the other hand, is a cross-platform web server for ASP.NET Core that is designed to be run behind a proxy (for example IIS or Nginx) and should not be deployed directly facing the Internet. Kestrel is relatively new and does not have a full complement of defenses against attacks. It's also not as feature rich as HTTP.sys and comes with timeout limits, size limits and concurrent user limits.
In essence, the choice comes down to your web application's Deployment scenario.
HTTP.sys Use Cases :
Kestrel Use Cases :
Following comparison will help you to choose which one is better
The ASP.NET 5 documentation (created by Microsoft on August 25, 2015) found here lists the chart found in the other answer (see page 107 of the bottom right book pages, but page 111 of the PDF): https://media.readthedocs.org/pdf/aspnet/theming/aspnet.pdf
Kestrel in general has better performance, if you used for one of the following below:
Great option if used in conjunction with a reverse proxy for apps exposed to Internet
Internal apps connecting with other internal apps on a private virtual network (not exposed to Internet)
WebListener is more secure, slower, and has more features. It is used in these cases:
Expose app to the Internet but can't use IIS
Require higher security and exposing server directly to Internet.
Additional features: List item, Windows Authentication, Port sharing, HTTPS with SNI, HTTP/2 over TLS (Windows 10), Direct file transmission, Response caching