Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Revert doing certificate revocation checking by default

See original GitHub issue

Steps to reproduce

  1. Trying to connect to an AWS Aurora PostgreSQL server instance using the RDS IAM authentication
  2. The right CA Root certificate is added to the trusted root store
  3. Using SslMode.VerifyFull

The issue

The server certificate chain gets rejected with the following information retrievable in RemoteCertificateValidationCallback:

  • sslPolicyErrors: RemoteCertificateChainErrors
  • chain statuses:
    • RevocationStatusUnknown (unable to get certificate CRL)
    • OfflineRevocation (unable to get certificate CRL)

Exception:

Exception message: Exception while performing SSL handshake
Stack trace: 
Unhandled exception. Npgsql.NpgsqlException (0x80004005): Exception while performing SSL handshake
 ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) in System.Net.Security.dll:token 0x600032f+0x17
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) in System.Net.Security.dll:token 0x6000331+0x25
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) in System.Net.Security.dll:token 0x600032c+0x588
   at System.Net.Security.SslStream.<>c.<ProcessAuthenticationWithTelemetry>b__170_2(Task t, Object s) in System.Net.Security.dll:token 0x600034e+0x59
   at System.Threading.Tasks.ContinuationTaskFromTask.InnerInvoke() in System.Private.CoreLib.dll:token 0x6003285+0x3b
   at System.Threading.Tasks.Task.<>c.<.cctor>b__271_0(Object obj) in System.Private.CoreLib.dll:token 0x6003242+0x0
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) in System.Private.CoreLib.dll:token 0x6002df1+0x40
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) in System.Private.CoreLib.dll:token 0x6002df1+0x80
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread) in System.Private.CoreLib.dll:token 0x600319c+0x96
--- End of stack trace from previous location ---
   at Npgsql.Internal.NpgsqlConnector.RawOpen(SslMode sslMode, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x6000a6d+0x53d
   at Npgsql.Internal.NpgsqlConnector.RawOpen(SslMode sslMode, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x6000a6d+0x580
   at Npgsql.Internal.NpgsqlConnector.<Open>g__OpenCore|195_1(NpgsqlConnector conn, SslMode sslMode, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x6000ac3+0x96
   at Npgsql.Internal.NpgsqlConnector.Open(NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x6000a68+0x9d
   at Npgsql.ConnectorPool.OpenNewConnector(NpgsqlConnection conn, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x60001f6+0xda
   at Npgsql.ConnectorPool.<Get>g__RentAsync|29_0(NpgsqlConnection conn, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x6000200+0x8d
   at Npgsql.NpgsqlConnection.<Open>g__OpenAsync|45_0(Boolean async, CancellationToken cancellationToken) in Npgsql.dll:token 0x60003da+0x117
   at <Program>$.<<Main>$>d__0.MoveNext() in /app/tests/integration/Npgsql.Loop/Program.cs:line 107
--- End of stack trace from previous location ---
   at <Program>$.<Main>(String[] args) in Npgsql.Loop.dll:token 0x6000009+0xc
Aborted (core dumped)

Workarounds

Not really a good workaround but turning the certificate revocation check off via the connection string makes a successful connection.

Further technical details

Npgsql version: 6.0.0-rc.2 PostgreSQL version: 13.3 (AWS Aurora) Operating system: Alpine Linux 3.14.2 in Docker

Other details about my project setup:

  • .NET 6.0.0-rc.2

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
queilcommented, Nov 3, 2021

You’re referring to the RDS-provided certificate, right?

Yes.

I’m not sure there’s an Npgsql issue here

You’re right. I initially wasn’t sure where to raise it. It might be an issue with the X509 chain processor or just, as you said, an RDS-specific problem.

though it would be good to be sure

Indeed, it makes me uncomfortable switching anything off if security is at stake and I am not 100% sure what I am doing.

0reactions
queilcommented, Nov 3, 2021

Thanks for clarification guys.

Read more comments on GitHub >

github_iconTop Results From Across the Web

The default IbmPKIX trust manager
Enabling certificate revocation checking with the default IbmPKIX trust manager · Click Security > SSL certificate and key management. · Under Related Items, ......
Read more >
Set Chrome To Check For Certificate Revocation
Google Chrome browser doesn't check for SSL certificate revocation by default. However, you can turn it on manually in Settings. Here's how to...
Read more >
Disabling certificate revocation checking for an application ...
1 · 1 · 1 · and here says how certificate revocation works that the default timeout it's 15 seconds, that coincide with...
Read more >
Enable certificate revocation checking in a domain
Enable certificate revocation checking in a domain · In the left pane of the Console, under Domain Structure, select the domain name. ·...
Read more >
Configuring Certificate Revocation Checking on Server ...
By default, all certificates in the chain are checked except the root certificate. You can, however, change this default.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Unknown message code: 3 or Unknown message code: 23

Next page

Map NodaTime Interval to tstzrange