SSL Handshake failed on ASP .NET Core Linux Container

Photo by Markus Winkler / Unsplash

When you try to send a request from Linux container via HttpClient, depends on target URI, request will fail and throw an exception with SSL Handshake with OpenSSL error - SSL_ERROR_SSL.

When encounter this problem first thought is because HttpClient failed to validate SSL certificate. However after reading through all Inner Exception my eyes drops on this line:

routines:tls_process_ske_dhe:dh key too small

Bingo. Looks like the openssl.cnf inside my container on K8s have more strict setting than the website's SSL certificate, gladly this is an easy fix.

Solution

Inside our Dockerfile we have to add two lines of RUN command in order to modify our container's openssl.cnf settings.

## .... 
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf 
## ....

What these two line does is change the value of SECLEVEL from 2 to 1 in both of the openssl.cnf file. After append these two lines, recompile the image and everything will work as expected.