Error making https call to local development environment with SocketsHttpHandler

[JamesNK]

Steps to Reproduce

I tried out SocketsHttpHandler + TLS in .NET 6 preview 5 in an Android Emulator. I found it successfully made HTTP request to a public website that was using TLS with a valid certificate, but failed to call a local website that is using the ASP.NET Core developer certificate.

Error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Usually to get around this problem on other .NET platforms you would configure the handler to ignore certificate warnings.

Configuring the HTTP handler to ignore certificate errors didn't help on Xamarin/Maui:

var handler = new SocketsHttpHandler();
handler.SslOptions = new System.Net.Security.SslClientAuthenticationOptions
{
    RemoteCertificateValidationCallback = (_, __, ___, ____) =>
    {
        return true;
    }
};

That doesn't change the result on Xamarin/MAUI.

Expected Behavior

Can successfully make call to local development site that is using ASP.NET Core developer certificate

Actual Behavior

Error above

Version Information

Microsoft Visual Studio Enterprise 2019 Preview
Version 16.11.0 Preview 2.0
VisualStudio.16.Preview/16.11.0-pre.2.0+31410.223
Microsoft .NET Framework
Version 4.8.04084

Installed Version: Enterprise

Visual C++ 2019   00435-60000-00000-AA372
Microsoft Visual C++ 2019

ASP.NET and Web Tools 2019   16.11.61.6649
ASP.NET and Web Tools 2019

ASP.NET Web Frameworks and Tools 2019   16.11.61.6649
For additional information, visit https://www.asp.net/

Azure App Service Tools v3.0.0   16.11.61.6649
Azure App Service Tools v3.0.0

Azure Functions and Web Jobs Tools   16.11.61.6649
Azure Functions and Web Jobs Tools

Bridge to Kubernetes   0.1
Bridge to Kubernetes for Visual Studio 2019

C# Tools   3.11.0-2.21301.11+757770cf2b5fcc3ffa83db516f90f0d2366a92f0
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools   1.10
Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

Extensibility Message Bus   1.2.6 (master@34d6af2)
Provides common messaging-based MEF services for loosely coupled Visual Studio extension components communication and integration.

Fabric.DiagnosticEvents   1.0
Fabric Diagnostic Events

IntelliCode Extension   1.0
IntelliCode Visual Studio Extension Detailed Info

Microsoft Azure Service Fabric Tools for Visual Studio   16.10
Microsoft Azure Service Fabric Tools for Visual Studio

Microsoft Azure Tools   2.9
Microsoft Azure Tools for Microsoft Visual Studio 2019 - v2.9.40609.1

Microsoft Continuous Delivery Tools for Visual Studio   0.4
Simplifying the configuration of Azure DevOps pipelines from within the Visual Studio IDE.

Microsoft JVM Debugger   1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Microsoft Library Manager   2.1.113+g422d40002e.RR
Install client-side libraries easily to any web project

Microsoft MI-Based Debugger   1.0
Provides support for connecting Visual Studio to MI compatible debuggers

Microsoft Visual C++ Wizards   1.0
Microsoft Visual C++ Wizards

Microsoft Visual Studio Tools for Containers   1.2
Develop, run, validate your ASP.NET Core applications in the target environment. F5 your application directly into a container with debugging, or CTRL + F5 to edit & refresh your app without having to rebuild the container.

Microsoft Visual Studio VC Package   1.0
Microsoft Visual Studio VC Package

Mono Debugging for Visual Studio   16.10.15 (552afdf)
Support for debugging Mono processes with Visual Studio.

NuGet Package Manager   5.11.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/

Open Command Line   2.4.236
2.4.236

ProjectServicesPackage Extension   1.0
ProjectServicesPackage Visual Studio Extension Detailed Info

Razor (ASP.NET Core)   16.1.0.2122504+13c05c96ea6bdbe550bd88b0bf6cdddf8cde1725
Provides languages services for ASP.NET Core Razor.

SmartPaster2013   1.0
Paste clipboard into comments or string builder

Snapshot Debugging Extension   1.0
Snapshot Debugging Visual Studio Extension Detailed Info

SQL Server Data Tools   16.0.62105.11120
Microsoft SQL Server Data Tools

Test Adapter for Boost.Test   1.0
Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.

Test Adapter for Google Test   1.0
Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.

TypeScript Tools   16.0.30526.2002
TypeScript Tools for Microsoft Visual Studio

Visual Basic Tools   3.11.0-2.21301.11+757770cf2b5fcc3ffa83db516f90f0d2366a92f0
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual F# Tools   16.10.0-beta.21262.7+1b23bbeda88ea3cb9be9af777f4c99fa8663df81
Microsoft Visual F# Tools

Visual Studio Code Debug Adapter Host Package   1.0
Interop layer for hosting Visual Studio Code debug adapters in Visual Studio

Visual Studio Container Tools Extensions   1.0
View, manage, and diagnose containers within Visual Studio.

Visual Studio Tools for CMake   1.0
Visual Studio Tools for CMake

Visual Studio Tools for Containers   1.0
Visual Studio Tools for Containers

Visual Studio Tools for Unity   4.11.0.0
Visual Studio Tools for Unity

VisualStudio.DeviceLog   1.0
Information about my package

VisualStudio.Foo   1.0
Information about my package

VisualStudio.Mac   1.0
Mac Extension for Visual Studio

Xamarin   16.11.000.157 (d16-11@0e025f1)
Visual Studio extension to enable development for Xamarin.iOS and Xamarin.Android.

Xamarin Designer   16.10.0.115 (remotes/origin/c750fbf1bde3c720d077f51640fe197c6dac7cbe@c750fbf1b)
Visual Studio extension to enable Xamarin Designer tools in Visual Studio.

Xamarin Templates   16.10.5 (355b57a)
Templates for building iOS, Android, and Windows apps with Xamarin and Xamarin.Forms.

Xamarin.Android SDK   11.3.99.54 (main/0e5e06f)
Xamarin.Android Reference Assemblies and MSBuild support.
    Mono: c633fe9
    Java.Interop: xamarin/java.interop/main@a5ed891
    ProGuard: Guardsquare/proguard/v7.0.1@912d149
    SQLite: xamarin/sqlite/3.35.4@85460d3
    Xamarin.Android Tools: xamarin/xamarin-android-tools/main@683f375


Xamarin.iOS and Xamarin.Mac SDK   14.20.0.3 (17fdcf569)
Xamarin.iOS and Xamarin.Mac Reference Assemblies and MSBuild support.

Log File

[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_GetCryptographicallySecureRandomBytes")
[monodroid] MonodroidRuntime::monodroid_dlopen ("libSystem.Native", 0x2, 0x0, 0x0)
[monodroid-assembly] Caching p/invoke entry libSystem.Native @ SystemNative_GetCryptographicallySecureRandomBytes
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_GetCryptographicallySecureRandomBytes")
Loaded assembly: /data/data/com.microsoft.net6.helloandroid/files/.__override__/System.Threading.Channels.dll [External]
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_GetCryptographicallySecureRandomBytes")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLSupportsApplicationProtocolsConfiguration")
[monodroid] MonodroidRuntime::monodroid_dlopen ("libSystem.Security.Cryptography.Native.Android", 0x2, 0x0, 0x0)
[monodroid-assembly] Caching p/invoke entry libSystem.Security.Cryptography.Native.Android @ AndroidCryptoNative_SSLSupportsApplicationProtocolsConfiguration
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLSupportsApplicationProtocolsConfiguration")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLSupportsApplicationProtocolsConfiguration")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLStreamSetApplicationProtocols")
[monodroid] MonodroidRuntime::monodroid_dlopen ("libSystem.Security.Cryptography.Native.Android", 0x2, 0x0, 0x0)
[monodroid-assembly] Caching p/invoke entry libSystem.Security.Cryptography.Native.Android @ AndroidCryptoNative_SSLStreamSetApplicationProtocols
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLStreamSetApplicationProtocols")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLStreamSetApplicationProtocols")
[System.err] javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
[System.err] at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
[System.err] at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
[System.err] at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
[System.err] at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
[System.err] at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
[System.err] at com.android.org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:237)
[System.err] Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:677)
[System.err] at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:554)
[System.err] at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
[System.err] at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:428)
[System.err] at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:371)
[System.err] at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:102)
[System.err] at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:106)
[System.err] at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:250)
[System.err] at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1644)
[System.err] at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
[System.err] at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:568)
[System.err] at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
[System.err] at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataHeap(ConscryptEngine.java:1115)
[System.err] at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1087)
[System.err] ... 4 more
[System.err] Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] ... 18 more
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLStreamRelease")
[monodroid] MonodroidRuntime::monodroid_dlopen ("libSystem.Security.Cryptography.Native.Android", 0x2, 0x0, 0x0)
[monodroid-assembly] Caching p/invoke entry libSystem.Security.Cryptography.Native.Android @ AndroidCryptoNative_SSLStreamRelease
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLStreamRelease")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Security.Cryptography.Native.Android", "AndroidCryptoNative_SSLStreamRelease")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_Shutdown")
[monodroid] MonodroidRuntime::monodroid_dlopen ("libSystem.Native", 0x2, 0x0, 0x0)
[monodroid-assembly] Caching p/invoke entry libSystem.Native @ SystemNative_Shutdown
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_Shutdown")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_Shutdown")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_Close")
[monodroid] MonodroidRuntime::monodroid_dlopen ("libSystem.Native", 0x2, 0x0, 0x0)
[monodroid-assembly] Caching p/invoke entry libSystem.Native @ SystemNative_Close
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_Close")
[monodroid] MonodroidRuntime::monodroid_pinvoke_override ("libSystem.Native", "SystemNative_Close")
Thread finished: <Thread Pool> #6
The thread 0x6 has exited with code 0 (0x0).

[grendello]

@JamesNK This is most likely an issue with the BCL, Xamarin.Android doesn't customize the way System.Net.Security works, MAUI is even less likely a factor. @steveisok, mind taking a look and forwarding to whoever can investigate the issue on your side? Thanks!

[JamesNK]

I think the issue related to this work is here dotnet/runtime#45741

[steveisok]

Yes, this is a runtime issue. The Android implementation of SocketsHttpHandler does not yet support the use of self-signed certs. The reason being is that we made the decision to keep the native integration JNI only and Android does not support creating classes from there. Therefore, we aren't able to create a custom TrustManager to accept a self-signed cert.

[akoeplinger]

I did a few experiments with adding the aspnetcore cert as trusted to the Android app via https://developer.android.com/training/articles/security-config#TrustingDebugCa since that should allow the APIs we're using to trust the certificate.

For some reason, it works fine if I do it in Android Studio with a Java app but not if I translate the Java code to a Xamarin.Android app in VS (i.e. using the Java APIs, not .NET HttpClient). I get the same java.security.cert.CertPathValidatorException even though the cert should be trusted.

@grendello any idea how I could debug why this is not working?

[Eilon]

I started a discussion topic on how to connect from Android emulators to a local ASP.NET Web API running on Windows: dotnet/maui#8131

Please check that out and let us know if you have any feedback on any of the solutions presented.

[jonpryor]

@steveisok: I'm catching up to this comment way too late:

Android does not support creating classes from [JNI]. Therefore, we aren't able to create a custom TrustManager to accept a self-signed cert.

I'm do not understand what you mean. dotnet/runtime could provide some .java/.class files that provide a TrustManager subclass, and JNI can create instances of that class via JNIEnv::NewObject(). The only difficulty will be "integration complexity" of getting the Java code "sourced in" dotnet/runtime into a .NET Android environment, but that's a bit of "plumbing" that we can certainly accomplish.

[akoeplinger]

As far as I know we enabled this in .NET 8 with dotnet/runtime#77386 exactly like you described by shipping a custom .java TrustManager.

[steveisok]

I'm do not understand what you mean. dotnet/runtime could provide some .java/.class files that provide a TrustManager subclass, and JNI can create instances of that class via JNIEnv::NewObject(). The only difficulty will be "integration complexity" of getting the Java code "sourced in" dotnet/runtime into a .NET Android environment, but that's a bit of "plumbing" that we can certainly accomplish.

Yes, when I wrote this, I said "we can't" from the perspective of we weren't going to ship custom java classes from runtime. In .NET 8, we relaxed that position, and this issue can probably be closed.

[jpobst]

As far as I know we enabled this in .NET 8 with dotnet/runtime#77386 exactly like you described by shipping a custom .java TrustManager.

This sounds fixed, closing.