Health check fails from Linux machine, not from Windows machine
Closed this issue · 6 comments
Hi,
We’re implementing 2fa authentication with DUO for an application of ours we’re building. This works perfectly when we run the software locally (redict url via ngrok) or on a Windows server, but not on our production server: the health check (.DoHealthCheck()) always fails.
We use the C# client from github: GitHub - duosecurity/duo_universal_csharp: Duo two-factor authentication for .NET web applications
To extract the problem from our application itself we created a small console app app which does nothing else than create a Duo Universal client with our settings, and run the health check and outputs if it succeeded or not. This also only works on the Windows machines (outputs ‘True’) and not the Linux machines (outputs ‘False’).
I suspect it has something to do differences between the SSL version and/or protocol in both the linux and windows machines.
I changed the DoHealthCheck a bit to output the error, and that says:
System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback
Anyone any ideas how to fix this?
I ran into the inverse of this problem (worked for me on Linux but not Windows) and it was down to the line endings in the certificate file. My hunch is that the fix in 7501d7a is somehow not enough and there is still an issue on your system.
If it's feasible for you to run the tests, see if the test at https://github.com/duosecurity/duo_universal_csharp/blob/main/DuoUniversal.Tests/TestCertPinning.cs#L72 fails. That tests if the file is split correctly, by making sure ten certificates are found. If that test fails for you, then that would support my hunch.
If it does pass, then my next best hunch is that there is something like an outbound SSL inspector (Blue Coat for example) that is causing issues with the certificate validation. If that's the case, you may need to add additional trusted certificates via the ClientBuilder: https://github.com/duosecurity/duo_universal_csharp/blob/main/DuoUniversal/Client.cs#L346
Hi Aaron,
I tested it, and the results are as follows:
Unhandled exception. NUnit.Framework.AssertionException: Expected: 1
But was: 10
at NUnit.Framework.Assert.ReportFailure(String message)
at NUnit.Framework.Assert.ReportFailure(ConstraintResult result, String message, Object[] args)
at NUnit.Framework.Assert.That[TActual](TActual actual, IResolveConstraint expression, String message, Object[] args)
at NUnit.Framework.Assert.AreEqual(Object expected, Object actual)
at DuoUniversal.Tests.TestCertPinning.TestReadCertFile() in D:\TMP\duo_universal_csharp\DuoUniversal.Tests\TestCertPinning.cs:line 75
at testpinning.Program.Main(String[] args) in D:\TMP\duo_universal_csharp\testpinning\Program.cs:line 11
So what are the next steps to get this working?
P.S, in your test I think you swapped the expected and actual results:
Assert.AreEqual(CertificatePinnerFactory.ReadCertsFromFile().Length, 10);
Shouldn't that be:
Assert.AreEqual(10, CertificatePinnerFactory.ReadCertsFromFile().Length);
The thing that really confuses me is that other people (including me) have the exact opposite issue. See #4 where tloveland1 is having a problem with the certificates file on Windows.
I'll see if I can find a solution that doesn't rely on line endings at all.
@devtendenz I think #6 should fix the issue, I'll try to get it merged as soon as I can get my team to review it.
The PR is merged, let me know if it doesn't resolve your issue.
Thanks AaronAtDuo, this indeed fixed the issue!