0

I am building a Web Api (using ASP.NET Web API), that connects via Secure WebSockets to an endpoint that our client exposed (wss://client-domain:4747/app/engineData). They gave me their certificates all in .pem format (root.pem and client.pem), and a private key (client_key.pem).

In order to get this done I did the following:

1) Converted client.pem and client_key.pem to a single .pfx file (used this here: Convert a CERT/PEM certificate to a PFX certificate)

2) I used the library System.Net.WebSockets, and wrote the following code:

private void InitWebSockesClient() { client = new ClientWebSocket(); client.Options.SetRequestHeader(HEADER_KEY, HEADER_VALUE); //Some headers I need AddCertificatesSecurity(); } private void AddCertificatesSecurity() { ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; // I KNOW THIS SHOULDNT BE USED ON PROD, had to use it to make it // work locally. ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; X509Certificate2 x509 = new X509Certificate2(); // this is the pfx I converted from client.pem and client_key byte[] rawData = ReadFile(certificatesPath + @"\cert.pfx"); x509.Import(rawData, "123456", X509KeyStorageFlags.UserKeySet); X509Certificate2Collection certificateCollection = new X509Certificate2Collection(x509); client.Options.ClientCertificates = certificateCollection; }

And when I want to connect I call:

 public async Task<bool> Connect() { Uri uriToConnect = new Uri(URL); await client.ConnectAsync(uriToConnect, CancellationToken.None); return client.State == WebSocketState.Open; }

This works fine locally. But whenever I deploy my Web Api on Azure (App Service) and make an HTTP request to it, it throws:

System.Net.WebSockets.WebSocketException - Unable to connect to the remote server.

And the inner exception:

System.Net.WebException - The request was aborted: Could not create SSL/TLS secure channel.

I enabled WebSockets on the AppService instance.

If I delete the line that always return true for the certificate validation, it doesn't work even locally, and the message says something like: 

The remote certificate is invalid according to the validation procedure.

So definitely I got something wrong with the certificates, those three .pem files are being used right now in a similar [![enter image description here][1]][1]app in a node.js and work fine, the WSS connection is established properly. I don't really know what usage give to each one, so I am kind of lost here.

These are the cipher suites of the domain I want to connect: https://i.sstatic.net/ZFbo3.png

Improve this question
2
  • 1
    Have you referenced Use an SSL certificate in your application code in Azure App Service? If not, please have a try to upload the pfx to azure WebApp and add an app setting called WEBSITE_LOAD_CERTIFICATES and set its value to the thumbprint of the certificate. You also could get the demo code how to use the cert from the document. Commented Jan 24, 2018 at 2:17
  • Thank you Tom! It was that :) Commented Jan 25, 2018 at 3:43

1 Answer 1

Reset to default
1

Inspired by Tom's comment, I finally made it work by just adding the certificate to the Web App in Azure App Service, instead of trying to use it from the filesystem. First I uploaded the .pfx file in the SSL Certificates section in Azure. Then, in the App settings, I added a setting called WEBSITE_LOAD_CERTIFICATES, with the thumbprint of the certificate I wanted (the .pfx).

After that, I modified my code to do work like this:

private void InitWebSockesClient() { client = new ClientWebSocket(); client.Options.SetRequestHeader(HEADER_KEY, HEADER_VALUE); //Some headers I need AddCertificateToWebSocketsClient(); } private void AddCertificateToWebSocketsClient() { ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; // this should really validate the cert ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; // reading cert from store X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, CERTIFICATES_THUMBPRINT, false); if (certCollection.Count > 0) { client.Options.ClientCertificates = certCollection; } else { // handle error } certStore.Close(); }

Where CERTIFICATES_THUMBPRINT is a string (thumbsprint of your certificate, the one you saw on Azure).

In case you want to make it work locally, you just need to install the certificate on your computer, as otherwise it won't obviously find it on the store.

Reference for all this in Azure docs: https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You could mark it as an answer that will help more communities who have the same issue easily to search.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.