none
.Net Core 3.1 socket 'The client and server cannot communicate RRS feed

  • Question

  • Hello I have issues with .Net core 3.1 socket it throws execption: 

    System.ComponentModel.Win32Exception: 'The client and server cannot communicate, because they do not possess a common algorithm.'

    Client

            public static void RunClient(X509Certificate2 clientcertificate,string machineName = "localhost", string serverName = "127.0.0.1")
            {
                TcpClient client = new TcpClient(serverName, 8080);
                Console.WriteLine("Client connected.");
                SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
                try
                {
                    sslStream.AuthenticateAsClient(machineName, new X509Certificate2Collection(clientcertificate),SslProtocols.Tls13, true);
                }
                catch (AuthenticationException e)
                {
                    Console.WriteLine("Exception: {0}", e.Message);
                    if (e.InnerException != null)
                    {
                        Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
                    }
                    Console.WriteLine("Authentication failed - closing the connection.");
                    client.Close();
                    return;
                }
    ...

    Server

            static void ProcessClient(TcpClient client)
            {
                SslStream sslStream = new SslStream(client.GetStream(), false);
                try
                {
                    sslStream.AuthenticateAsServer(serverCertificate,true,SslProtocols.Tls13,true);
                    DisplaySecurityLevel(sslStream);
                    DisplaySecurityServices(sslStream);
                    DisplayCertificateInformation(sslStream);
                    DisplayStreamProperties(sslStream);
    ...

    Certificate generation

    public X509Certificate2 CreateClientCertificate()
            {
                SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
                sanBuilder.AddDnsName("localhost");
    
                X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=localhost");
    
                using (RSA rsa = RSA.Create(2048))
                {
                    var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
    
                    request.CertificateExtensions.Add(
                        new X509KeyUsageExtension(X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
    
    
                    request.CertificateExtensions.Add(
                        new X509EnhancedKeyUsageExtension(
                            new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));
    
                    request.CertificateExtensions.Add(sanBuilder.Build());
    
                    var ca = GetServerCertificate();
                    var certificate = request.Create(ca, ca.NotBefore, ca.NotAfter, new byte[] { 0, 1, 2, 3 });
    
                    return new X509Certificate2(certificate.Export(X509ContentType.Pfx, "test"), "test", X509KeyStorageFlags.DefaultKeySet);
                }
    
            }
    
            public X509Certificate2 GetServerCertificate() 
            {
    
                var certificates = new X509Certificate2(File.ReadAllBytes(@"C:\OpenSSL\Certificates\server.pfx"), "test");
                if (certificates == null)
                {
                    Console.WriteLine("Server certificate not found...");
                    return null;
                }
                else
                {
                    return certificates;
                }
            }

    Server certificate generation

    openssl req -x509 -newkey rsa:4096 -keyout C:\OpenSSL\Certificates\key.cert -subj "/C=Test/ST=Test/L=Test/O=Test/OU=Test/CN=localhost" -out C:\OpenSSL\Certificates\cert.pem -days 365 -config C:\OpenSSL\bin\openssl.cnf
    openssl pkcs12 -inkey C:\OpenSSL\Certificates\key.cert -in C:\OpenSSL\Certificates\cert.pem -export -out C:\OpenSSL\Certificates\server.pfx

    Server main

    public static void Main(string[] args)
            {
                ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;
    ...

    What do I miss here?, why client and server algorithm is different and how can I fix it?

    Monday, June 29, 2020 4:32 PM

All replies

  • This error is usually caused by the use of TSL1.1. Generally, anything using the TLS standard below TLS 1.2 is considered insecure, because these older encryption algorithms are known to be cracked.

    What framework does your WCF service use? If you are using .net 3.5 or lower, you need to upgrade your framework. If you use .net 4.5, although it supports TSL 1.2, but it is not the default protocol, you need to choose to use it. The following code sets TSL1.2 to the default value, please make sure to execute it before connecting to a secure resource:

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

    Tuesday, June 30, 2020 2:40 AM
  • Server is Asp net core 3.1 and client is .net core 3.1
    Tuesday, June 30, 2020 10:23 AM
  • Okay, some changes were made

    1. server.pfx added to trusted root certificates.

    2. Server and Client authentication were changed:

    sslStream.AuthenticateAsClient(machineName, new X509Certificate2Collection(clientcertificate),SslProtocols.Tls12, true);
    sslStream.AuthenticateAsServer(serverCertificate,true,SslProtocols.Tls12,true);

    Now server throws exception

    Exception: The remote certificate is invalid according to the validation procedure.


    • Edited by speed258 Tuesday, June 30, 2020 5:42 PM
    Tuesday, June 30, 2020 5:42 PM
  • You need to make sure that the self signed SSL cert is trusted (put it into the machine Trusted Root CA folder).
    Wednesday, July 1, 2020 9:29 AM
  • You need to make sure that the self signed SSL cert is trusted (put it into the machine Trusted Root CA folder).

    Tried to add as user and machine still same output

    Exception: The remote certificate is invalid according to the validation procedure.

    Thursday, July 2, 2020 2:49 PM