I'd like to ask if there's a way to bypass Ubuntu's security checks so that I could be able to fetch a website with a small key in my .NET Core Client app? I am getting error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small exception.
The issue is that in Ubuntu 20.04 openSSL has security level set to 2 and (currently, hopefully someone will come up with an answer for my question on Ask Ubuntu) I have no idea how to set it to a lower value.
The same error occurs using curl unless --ciphers 'DEFAULT:!DH' parameter is provided, so I assume the root cause of the problem is within the operating sysem itself.
I do not control the website's server, so changing its security settings is a no go.
What I've tried so far from C# side:
serviceCollection.AddHttpClient<IInterface, IImplementation>()
.ConfigureHttpMessageHandlerBuilder(messageHandlerBuilder =>
{
messageHandlerBuilder.PrimaryHandler = new HttpClientHandler
{
ServerCertificateCustomValidationCallback = (m, c, ch, e) => true
};
});
and
using var httpClient = new HttpClient();
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
var websiteContent = await httpClient.GetStreamAsync(url);
Security is not much of an issue in this case so I'm ok with using any dirty hack here.
Any help would be much appreciated.
Thanks to the answer received on Ask Ubuntu I managed to fix the issue by:
openssl.cnf fileopenssl_conf = default_conf at the top of the copied file [ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1
OPENSSL_CONF environmental variable set to path to the altered config file