Search code examples
.net-coretcpclientsslstream

Interop Crypto OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

No matter target to net5.0 or net6.0 framework, when trying to create a sslstream, it repeatedly throw the error running on Ubuntu OS while works on Windows OS, what's the proper way to handle this error ?

Error Message

 System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
       ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
       ---> Interop+Crypto+OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
         --- End of inner exception stack trace ---
         at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
         at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
         --- End of inner exception stack trace ---
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)

Sample Code

public static SslStream CreateSslStream(this TcpClient client, bool leaveInnerStreamOpen = false)
{
    var validationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
    var selectionCallback = new LocalCertificateSelectionCallback(SelectLocalCertificate);
    return new SslStream(client.GetStream(), leaveInnerStreamOpen, validationCallback, selectionCallback);
}
Solution

  • I referenced the ticket: Reopen #44191: SSL/TLS handshake fails in Ubuntu 20.04 and Net 5.0.1, making a custom openssl.cnf, now the problem is got resolved.

    /etc/ssl/openssl.cnf

    # Add this in the head of the file
openssl_conf = openssl_init

#
# skip
#

# And the following in the end of the file
[openssl_init]
ssl_conf = ssl_config

[ssl_config]
system_default = tls_defaults

[tls_defaults]
CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
MinProtocol = TLSv1.2