I'm attempting to connect to Amazon IoT MQTT broker using a C# net core 2.1 class library. My requirements say I must use port 443, which means per Amazon's documentation I have to use a connection that supports ALPN.
.Net Core 2.1 now has the methods to support this, so I try the following code:
(Note: I can try this same code using port 8883 instead of 443, and it connects fine and sends my MQTT data, so I know my certs and endpoint address are correct.)
this.socket = new Socket(this.remoteIpAddress.GetAddressFamily(), SocketType.Stream, ProtocolType.Tcp);
this.socket.Connect(new IPEndPoint(this.remoteIpAddress, this.remotePort));
this.netStream = new NetworkStream(this.socket);
this.sslStream = new SslStream(this.netStream, false, this.userCertificateValidationCallback, this.userCertificateSelectionCallback);
X509CertificateCollection clientCertificates = null;
clientCertificates = new X509CertificateCollection(new X509Certificate[] { this.clientCert });
SslApplicationProtocol amzProtocol = new SslApplicationProtocol("x-amzn-mqtt-ca");
System.Threading.CancellationToken token = new System.Threading.CancellationToken();
SslClientAuthenticationOptions options = new SslClientAuthenticationOptions()
{
AllowRenegotiation = false,
TargetHost = this.remoteHostName,
ClientCertificates = clientCertificates,
EnabledSslProtocols = SslProtocols.Tls12,
CertificateRevocationCheckMode = X509RevocationMode.NoCheck,
ApplicationProtocols = new List<SslApplicationProtocol>() { amzProtocol },
LocalCertificateSelectionCallback = this.userCertificateSelectionCallback,
RemoteCertificateValidationCallback = this.userCertificateValidationCallback,
EncryptionPolicy = EncryptionPolicy.RequireEncryption
};
this.sslStream.AuthenticateAsClientAsync(options, token).Wait();
Now, from what I understand, I should see (I'm using wireshark) an extension added on to the Client Hello handshake protocol similar to this:
Extension: Application Layer Protocol Negotiation
Type: Application Layer Protocol Negotiation (0x0010)
Length: ##
ALPN Extension Length: ##
ALPN Protocol
ALPN string length: 14
ALPN Next Protocol: x-amzn-mqtt-ca
But I'm not getting that extension, and the connection fails on port 443.
Am I missing something in setting up the list of protocols? I'm not getting any errors from that, but since this is a pretty new release there's not a lot of reference material out there to look for hints.
Well, It seems that even though Net CORE 2.1 has added the functions to support this, that it won't work with Windows 7. You must be using Windows 8.1 or greater. This was not documented anywhere in the code or on the examples on GitHub, but I found out from one of the dev team that for some reason they decided to have it "fail silently", rather than throw an error.
Related
I'm using Node.js with socket.io server and EngineIoClientDotNet and MAUI on client side. This is how I'm connecting to the server on client side using Quobject.EngineIoClientDotNet.Client.Socket:
socket = new Socket("https://api.example.com");
And here's how it is on server side:
const io: Server = new Server(server, { cors: { origin: "*" } });
And instead of making requests to https://api.example.com/socket.io, like socket.io-client for javascript, EngineIoClientDotNet makes requests to https://api.example.com/engine.io, which resultst in 404 response.
How do I change path from /engine.io to /socket.io?
Use SocketIOClient
EngineIoClientDotNet is deprecated, and SocketIOClient is still maintained.
If you need to change path from /socket.io (which is default in SocketIOClient) use SocketIOOptions:
using SocketIOClient;
socket = new SocketIO("https://example.com", new SocketIOOptions() { Path = "/custom-path" });
NuGet SocketIOClient
Github SocketIOClient
I am trying to set up a local MQTT broker using mosquito image and connect to it with MQTTNet as publisher and subscribe using Dapr MQTT binding. Everything works fine if I am using anonymous mode (both in Docker self-hosted and in K8S). But we need to use SSL... and here things stopped working. And I am literally out of ideas.
Anyone done this setup already?
I am following this guide for creating certificates: Mosquito SSL setup
This is my broker Dockerfile:
FROM eclipse-mosquitto:latest
COPY ./mqtt/mosquitto/mosquitto.conf /mosquitto/config/mosquitto.conf
COPY ./mqtt/mosquitto/certificates /mosquitto/certs
COPY ./mqtt/mosquitto/certificates /mosquitto/ca_certificates
and mosquitto.conf file:
listener 8883
protocol mqtt
listener 9001
protocol websockets
allow_anonymous false
cafile ./mosquitto/certs/ca.crt
keyfile ./mosquitto/certs/server.key
certfile ./mosquitto/certs/server.crt
require_certificate true
use_identity_as_username true
tls_version tlsv1.2
Broker is starting fine:
2023-01-02 23:44:16 1672699456: mosquitto version 2.0.15 starting
2023-01-02 23:44:16 1672699456: Config loaded from /mosquitto/config/mosquitto.conf.
2023-01-02 23:44:16 1672699456: Opening ipv4 listen socket on port 8883.
2023-01-02 23:44:16 1672699456: Opening ipv6 listen socket on port 8883.
2023-01-02 23:44:16 1672699456: Opening websockets listen socket on port 9001.
2023-01-02 23:44:16 1672699456: mosquitto version 2.0.15 running
Now, I am trying to use MQTTNet library and I wrote a simple c# console app:
using MQTTnet;
using MQTTnet.Client;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Text.Json;
var caCert = new X509Certificate2("ca.crt");
var clientCert = new X509Certificate2("client.pfx", "password");
var url = "localhost";
var factory = new MqttFactory();
var client = factory.CreateMqttClient();
var options = new MqttClientOptionsBuilder()
.WithTcpServer(url, 8883)
.WithClientId("Device1")
.WithTls(new MqttClientOptionsBuilderTlsParameters
{
UseTls = true,
SslProtocol = System.Security.Authentication.SslProtocols.Tls12,
CertificateValidationHandler = (certContext) =>
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
chain.ChainPolicy.CustomTrustStore.Add(caCert);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
var x5092 = new X509Certificate2(certContext.Certificate);
return chain.Build(x5092);
},
AllowUntrustedCertificates = true,
Certificates = new List<X509Certificate2>
{
clientCert, caCert
},
})
.Build();
await client.ConnectAsync(options);
var message = new MqttApplicationMessageBuilder()
.WithTopic("sensor/reporting")
.WithPayload(Encoding.UTF8.GetBytes("test"))
.Build();
await client.PublishAsync(message);
And I am not able to connect with client error:
MQTTnet.Exceptions.MqttCommunicationException: ' Received an unexpected EOF or 0 bytes from the transport stream.'
And server error:
2023-01-02 23:47:00 1672699620: New connection from 172.19.0.1:37912 on port 8883.
2023-01-02 23:47:00 1672699620: Client disconnected due to protocol error.
Tried different options and never succeded.
On the subscriber side, I am following this guide: Dapr MQTT Binding with below config file:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: sensorreporting
spec:
type: bindings.mqtt
version: v1
metadata:
- name: url
value: ssl://localhost:8883
- name: topic
value: sensor/reporting
- name: consumerID
value: "{uuid}"
- name: caCert
value: -----BEGIN CERTIFICATE-----\nMIIEGzCCAwOgAwIBAgIUYbZRJpxF3knVBs4A9FIc9KU6YskwDQYJKoZIhvcNAQEL\nBQAwgZwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdBbGJlcnRhMRAwDgYDVQQHDAdD\nYWxnYXJ5MRMwEQYDVQQKDAptQ2xvdWRDb3JwMRYwFAYDVQQLDA1DZXJ0QXV0aEFk\nbWluMQ0wCwYDVQQDDARhZGNhMS0wKwYJKoZIhvcNAQkBFh5taWNoYWwua29zb3dz\na2lAbWNsb3VkY29ycC5jb20wHhcNMjMwMTAyMjE0MzU5WhcNMjgwMTAyMjE0MzU5\nWjCBnDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB0FsYmVydGExEDAOBgNVBAcMB0Nh\nbGdhcnkxEzARBgNVBAoMCm1DbG91ZENvcnAxFjAUBgNVBAsMDUNlcnRBdXRoQWRt\naW4xDTALBgNVBAMMBGFkY2ExLTArBgkqhkiG9w0BCQEWHm1pY2hhbC5rb3Nvd3Nr\naUBtY2xvdWRjb3JwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAMxZASmaTBj+8nVnQwngdjQ3632AVforWdZWSW7a/Z9mhlCis8Lmg/B7Hun9NUh3\nlwg3GxB9RN0K3A+aeHObWfSUl+R1NiTVAMWh+CtUVibjWnDJGk+TNQ9Drq5Lh/iX\nNPc2ztUm+iaFyWdXcthWjeYqsnLD4NHbD0470F4mNidg93cPvB66c0Eam01pAAkR\nQ/jUU0W8gncN3SEHc/FAUahGp1xZzxWhawBAr/oa7xjDMZsz4cLBHjnUH/wNuTrZ\nxQ7g/ArO9DsDaITj7+tzKvOLkCza3LzjW7Ye19XL5l9DisX3xBNCeERIIdndwkOm\ndkEif6QIMgZjaYyyMH6JSsECAwEAAaNTMFEwHQYDVR0OBBYEFDDUsLcvER/gEJgl\nstJ3VutBQ/t+MB8GA1UdIwQYMBaAFDDUsLcvER/gEJglstJ3VutBQ/t+MA8GA1Ud\nEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALzcZ32VWo37Da5wfFmONo1I\n+bnnP4dc6i90/6MVuLoco6nt63XE+DwL53Ib8tPYVMssKCLOBCI+y+tRtpIAIF+y\ntg41SP5iLIU4eV4rjzdd3iirZOavvcx2cLVfMRHFVr1/8V5o4LaQOpiwVycndcHY\noRTXW6h49YpZt914oEwezSRBrN5h8Rc4cJB/alVpj/2FMq0+C6qQmgJ56xLT9Yu+\nAFz2X4zoFX69WsGm+h/cOfrMjqdR96UoS8cUgEjeNPZCxrZLWGEvphnjmjCom+SQ\nJ+qvQQBCGlNW6Hajd6yBybynB4ImwsqySlWYuX/JwfCDxq1rt++lWjha7hzGSdY=\n-----END CERTIFICATE-----
- name: clientCert
value: -----BEGIN CERTIFICATE-----\nMIIDwDCCAqgCFA7Zd6l6GgZYMtdtTwKHM7b3jn0HMA0GCSqGSIb3DQEBCwUAMIGc\nMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2Fy\neTETMBEGA1UECgwKbUNsb3VkQ29ycDEWMBQGA1UECwwNQ2VydEF1dGhBZG1pbjEN\nMAsGA1UEAwwEYWRjYTEtMCsGCSqGSIb3DQEJARYebWljaGFsLmtvc293c2tpQG1j\nbG91ZGNvcnAuY29tMB4XDTIzMDEwMjIxNTcwMVoXDTIzMTIyODIxNTcwMVowgZsx\nCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdBbGJlcnRhMRAwDgYDVQQHDAdDYWxnYXJ5\nMRMwEQYDVQQKDAptQ2xvdWRDb3JwMRIwEAYDVQQLDAlhZC1jbGllbnQxEDAOBgNV\nBAMMB2RldmljZTExLTArBgkqhkiG9w0BCQEWHm1pY2hhbC5rb3Nvd3NraUBtY2xv\ndWRjb3JwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOZ2d3jm\n240jQ9JdTAoAEe/LaoFD+0q7TisXLeHBruCZWjMCbiqinT+GtvyhOvNVVJk8/0jH\n1pTkAIads1hIqve6AUNinrZd9LRbW8CNeESz+w29GcOcdZ9fMsQf42PqHd+Y8Aes\nF/2TSU9Qu+dVpplrdHOfz5WjmC88/AD9btMDrrJQOhi4MFD8Buy4S5Lrw4ZRQ4be\n72hHAuD3nVT+/WS9EJtVSANHaIHsOPDmyJAPFVS6wWZRAHv5BEf5D/UtjmGg3VRn\nGN2krK1/MLMSv20kjePi7dErOtAE1Q2fsvEfs0zko3/qrGZlELVlxKqYgnAMfY2w\nsVf8sGvTz9sJIKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc/+wE8Efgmi1GB5G\nSlPpFbDmM+pAXm7cAbELTkQK4i70TZ4R7aRS9QulxSxL1MwpHkyQqvW9bN0s+WtX\nUqh3ERyXCyeuOc6KpskROryyCD03rL2j83KIeTvbLSwsx3gwzE0nBy336Y2A1fYT\nJVkYUhi4Gh9LqSovw8yn+O/DjGhzfBPo1MaPZihtVGmTlhvY9ypUsefggC+FE8E8\n8UmvesY7H+/h5TammDoHTFBupQG9JIx76DZJFQlyyGGanttfBooya4ZLzpZ+zmeW\nFOvz+RmekQzjt+Jrtrzv1zkyrhFB129kr9/cNzZBtR2Hte2ezSgmPHFjIPZ0Z4ZC\nTW47cw==-----END CERTIFICATE-----
- name: clientKey
value: -----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA5nZ3eObbjSND0l1MCgAR78tqgUP7SrtOKxct4cGu4JlaMwJu\nKqKdP4a2/KE681VUmTz/SMfWlOQAhp2zWEiq97oBQ2Ketl30tFtbwI14RLP7Db0Z\nw5x1n18yxB/jY+od35jwB6wX/ZNJT1C751WmmWt0c5/PlaOYLzz8AP1u0wOuslA6\nGLgwUPwG7LhLkuvDhlFDht7vaEcC4PedVP79ZL0Qm1VIA0dogew48ObIkA8VVLrB\nZlEAe/kER/kP9S2OYaDdVGcY3aSsrX8wsxK/bSSN4+Lt0Ss60ATVDZ+y8R+zTOSj\nf+qsZmUQtWXEqpiCcAx9jbCxV/ywa9PP2wkgqQIDAQABAoIBAQDP28dztxwMFuNj\nx5v+ZQPIeHot7oemZnthJ/3M4Sh+EDInUajVMWeMVU+TWUPXFn4/26EQHpVuIppK\nz89i79+roQrkoP0u1F0RkliVucLgjEgBoy2qnOIFhRI/i9dGVXDuK31KHjBhF8eG\nDvX69uhU9XLJmjja6Psol+NebTXYgIISUz0S39KGqH3BZ9IcRre/peNDh4LqUot9\n+Wmrj/4kIgwC2FXLWw5Bz5wH4cvZbrSrf+p4jf8MZehBBTlkJ2270aEwU2Di+rDx\nS4o1rzDEB3FO6eoDJk+vxseZhqUjAX7Vm2HDZhEM+y1rXuOXY11ya2phIA7Y4YzX\nBuXvNQKBAoGBAP8PI4wk8XjVt5mD6KUbvPzcmEtTG43PrTKh9vXdsP9bkW8+RUEp\npwpguSxPYCXRGSl4A3Ava/8uT8grAx1978LY7l65uCK9EUTdYs5a3BrjhxBVE3Bj\np/e3VSmE8qD1ixlnfcRUf0Dv8CrivKmW4Lz226A3hS6AlWfzI9amEfG5AoGBAOdQ\nGcKSUijcNkASud4VZyOqNqjKtj5SKx1HblnOq7HERblPW53wD8Mg9jeQ8X7Flaox\n52m1W3EcO1VVLveQ6FYsBXVz+9FwHblztizVlty48XmzpQDbAL1xI+G0WT7cpDt8\nDdnlOmZX4hxBsmrkOFz/gP4yn6sL0u0wbRTk995xAoGAcBe1Jaguv04djEgefEF+\ngxpni+MQXviAQ5pOsKsnWHJjriINyZ+Gm9b6SnDv7m7AwirOSAVvTwyJX40Xp2Rr\ndJRl3hd8xzeUWVF6VPo1dVO9Tf41ttT1Qra9pKua/gYrhZSn/xqrelx4jkBrbZSz\nXBiZWQZNb6xu/OosO+9sP3ECgYEA3KoVaQCdUE2Dk2xJ1Asm8WcX7b40TQ+mAbB7\nHUGDmXpb6YRDKlAxOTzgpfGn8AAd3tbspHNWYHlGQQmaXKHogwxLyNh0ikAimyA/\n0lWQLdBgzHEMH9zMv+yHBnI+ETH7mqOlsxByvd9o3PvvcPl2q4EzVUyF9W66MXvZ\nE+26aIECgYBtDK+8hffO3N1yXW+tMFuCbbzMPrPJC5o4VII8pm+oNcsvW1Ao9kpZ\nL7yVVJCozo0omvuY2ohVchiQ5jC1nxd17Xa0DuIrKgtcEmpoae16e2h7kcSjv63y\nbKEEUIKRyWfhx6iJb8o03lq1UUxRDhaB5leiUUddibJyhh7EDfCHfQ==\n-----END RSA PRIVATE KEY-----
and dapr sidecar is failing with following error:
mqtt-sample-mqtt-api-dapr-1 | time="2023-01-02T23:19:05.428410597Z" level=fatal msg="process component sensorreporting error: [INIT_COMPONENT_FAILURE]: initialization error occurred for sensorreporting (bindings.mqtt/v1): mqtt binding error: invalid ca certificate" app_id=mqtt-api instance=2c64804e20f1 scope=dapr.runtime type=log ver=1.9.5
mqtt-sample-mqtt-api-dapr-1 exited with code 1
I do not know where I am making mistake. I am going to test that on AKS now (maybe the problem is with running it locally? Anonymous mode is working with AKS).
I was able to set up the whole thing without SSL, but need this to go to prod.
The TLS certificate setup is per listener, so if you want both the listener on port 8883 and the Websocker listener on port 9001 to use TLS then you need to specify the certificates twice e.g.
listener 8883
protocol mqtt
cafile ./mosquitto/certs/ca.crt
keyfile ./mosquitto/certs/server.key
certfile ./mosquitto/certs/server.crt
require_certificate true
use_identity_as_username true
tls_version tlsv1.2
listener 9001
protocol websockets
allow_anonymous false
cafile ./mosquitto/certs/ca.crt
keyfile ./mosquitto/certs/server.key
certfile ./mosquitto/certs/server.crt
tls_version tlsv1.2
You also need to be very careful about requiring a client certificate for the websocker listener and using it as a the username, because if you are accessing from a Web Browser it is VERY tricky to set up client certificates. Hence I have removed that requirement from the WebSocket listener
You have the listener on port 8883 configured to use websockets; you appear to be connecting using plain MQTT over TCP, not over websockets.
Your client needs to use the same protocol as the broker is configured for on the port the client connects to.
Try commenting out the websockets line in the mosquitto config file, restarting the broker and connecting again.
I have created a very simple console application that connects to Azure ServiceBus and sends one message. I tried the latest library from Microsoft (Microsoft.Azure.ServiceBus) but no matter what I do I just get this error:
No connection could be made because the target machine actively
refused it ErrorCode: ConnectionRefused
I have tried exactly the same connection string in Service Bus Explorer and it does work just fine. Moreover I connected without problems using the older library from Microsoft (WindowsAzure.ServiceBus).
var sender = new MessageSender("endpoint", "topicName");
sender.SendAsync(new Message(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject("test"))));
I tried with .NET Framework 4.6.2 and Core, same exception. I suspect there may be some differences in the default protocol that these libraries use, but I could not figure out that for sure.
P.S. Have tried the example from Microsoft docs but result is still the same exception
The old client supported ConnectivityMode using TCP, HTTP, HTTPS, and AutoDetect. ServiceBus Explorer is using AutoDetect, trying TCP first and then failing over to HTTPS, regardless of the TransportMode you were using (SBMP or AMQP).
With the new client this has changed. TransportMode now combines both options and offers Amqp (AMQP over TCP) or AmqpWebSockets (AMQP over WebSockets). There's no AutoDetect mode. You will have to create your clients and specify TransportType as AmqpWebSockets to bypass blocked TCP port 5671 and instead use port 443.
It seems that the documentation is lacking a lot on how to connect using HTTPS (Amqp over WebSockets) but after some help from Sean Feldman in the accepted answer I managed to connect. Here is the code that I used if someone is interested:
var tokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider(
"RootManageSharedAccessKey", // SharedAccessKeyName
"SomeToken");
var sender = new MessageSender(
"sb://mydomain.servicebus.windows.net/",
"topicName",
tokenProvider,
TransportType.AmqpWebSockets);
Or a variant that let's you have the whole connection string in one piece
var builder = new ServiceBusConnectionStringBuilder("YouConnectionString");
var tokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider(
builder.SasKeyName,
builder.SasKey);
var sender = new MessageSender(
builder.Endpoint,
"TopicName",
tokenProvider,
TransportType.AmqpWebSockets);
It is actually possible to use ConnectionString directly but then it has to be augmented to use the right protocol.
var sender = new MessageSender("TransportType=AmqpWebSockets;Endpoint=...", "TopicName")
Or the version that allows to embed EntityPath into the ConnectionString
var connectionBuilder = new ServiceBusConnectionStringBuilder("EntityPath=MyTopic;TransportType=AmqpWebSockets;Endpoint=...")
var sender = new MessageSender(connectionBuilder);
I was having the same issue but his worked for me
var clientOptions = new ServiceBusClientOptions();
clientOptions.TransportType = ServiceBusTransportType.AmqpWebSockets;
client = new ServiceBusClient(connectionString, clientOptions);
sender = client.CreateSender(topicName);
// create a batch
using ServiceBusMessageBatch messageBatch = await sender.CreateMessageBatchAsync();
all - I've written a dotnet core API set that functions perfectly on windows. On Ubuntu 14.04, everything works except for one SOAP request to a vendor that uses a client certificate for authentication.
The request always times out. A Netstat trace shows that only 1 byte of data was sent to the remote service on 443. No communication happens for 100 seconds and then the app throws a timeout exception.
I've tried using openssl to export PEM and CRT files and referenced those in addition to the way the code is configured now (pfx w/ password). I've also loaded the certificate portions of the PFX into ca-certs.
Here's the code:
var binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var baseAddress = new Uri(mySettings.ClientUrl);
factory = new ChannelFactory<SingleSignOnSoap>(binding, new EndpointAddress(baseAddress));
if (RuntimeEnvironment.OperatingSystemPlatform == Platform.Windows)
{
//windows file location
factory.Credentials.ClientCertificate.Certificate = new X509Certificate2(mySettings.PrivateKeyWindowsPath, mySettings.PfxPass);
}
else
{
//linux file location
factory.Credentials.ClientCertificate.Certificate = new X509Certificate2(mySettings.ClientPrivateKeyUnixPath, mySettings.PfxPass);
}
serviceProxy = factory.CreateChannel();
RequestTicketRequest request = new RequestTicketRequest();
RequestTicketRequestBody requestBody = new RequestTicketRequestBody(xmlRequest);
request.Body = requestBody;
RequestTicketResponse response = serviceProxy.RequestTicket(request);
return response.Body.RequestTicketResult;
Wireshark and Tshark show the authentication is actually working ok. The timeout is happening because the ServiceFactory is waiting to receive the response, but the network has sent a connection reset flag ([RST, ACK]) to the remote server. I've been able to reproduce on multiple linux distros so I'm adding an issue to the dotnet core WCF team's queue on github.
I'm trying to establish tcp connection which is encrypted using Ssl3.
Basically I'm just creating TCP connection and than I'm creating SSLStream on top of that:
var ss = new SslStream(poolItem.SecureConnection, false, remoteCertificateValidationCallback);
ss.ReadTimeout = ss.WriteTimeout = timeout;
ss.AuthenticateAsClient(host);
var pp = ss.SslProtocol;
My problem is that by default SslStream uses TLS. I want for it to be Ssl3.
In HttpWebRequest, you can use following code to change the protocol:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
I checked it, and it doesn't affect SslStream.
How do I change SslStream's protocol to Ssl3?
You just have to use the AuthenticateAsClient overload that lets you specify which protocols should be allowed:
AuthenticateAsClient
(host, new X509CertificateCollection(), SslProtocols.Ssl3, false);