TLS Handshake Error

flo · August 10, 2023, 1:58pm

Hi,
Is there a way to handle the occurring of the RST TCP Flag during and after the TLS Handshake?
After The TCP “Server Hello Done” an RST Flag is sent and an error occurs.
The Following Packets are sent:

The following Error is Thrown in the HttpListener Start() Method when receiving an RST Flag:

 #### Exception System.InvalidOperationException - CLR_E_INVALID_OPERATION (9) ####
    #### Message: 
    #### GHIElectronics.TinyCLR.Devices.Network.Provider.NetworkControllerApiWrapper::AuthenticateAsServer [IP: 0000] ####
    #### System.Net.Security.SslStream::AuthenticateAsServer [IP: 0011] ####
    #### System.Net.HttpListener::AcceptThreadFunc [IP: 0096] ####
Ausnahme ausgelöst: "System.InvalidOperationException" in GHIElectronics.TinyCLR.Devices.Network.dll
Ein Ausnahmefehler des Typs "System.InvalidOperationException" ist in GHIElectronics.TinyCLR.Devices.Network.dll aufgetreten.

(Only (latest) GHI Libraries from NuGet used)

Dat_Tran · August 10, 2023, 3:40pm

There is so many reasons cause this issue. Could you send a simple project so we can test?

flo · August 10, 2023, 4:55pm

Sure!
Here is a quick demonstration:
Https_Test

Dat_Tran · August 15, 2023, 8:27pm

Hello, we just tested your project, AuthenticateAsServer function work correctly. The problem is your certificate.

Below is simple command to generare seft-signed certicate:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout key.pem -out cert.pem -subj “/CN=myghitest.com” -addext “subjectAltName=DNS:myghitest.com,DNS:*.myghitest.com,IP:192.168.86.64”

replace 192.168.86.64 by SITCore IP address.
Then you need to install cert.pem on PC with root trusted: There few ways to do, we tested the way below (for Window):
Warning: The link below comes from third party, not GHI. Changing or installing certificate on your PC may affect to your PC’s security level, or causes your PC stop working.

How to Create Your Own SSL Certificate Authority for Local HTTPS Development (deliciousbrains.com)

We tested and confirm it work.

flo · August 16, 2023, 10:46am

Hi, thank you !

When the certificate is installed correctly, everything works fine.

The only problem left is that the Server crashes when we try to connect to it when the certificate is not installed on the PC (also happens when we try your certificate).

We need the site working even if the certificate is not trusted by the browser. Is there a way to achieve that?

Dat_Tran · August 16, 2023, 2:48pm

We could not reproduce the crash issue.
The way we reproduce is, generate new certificate by the command above, load to device, not installed anything to PC yet.

The application throws an exception as expected. From browser it says NET::ERR_CERT_AUTHORITY_INVALID