HttpClient GetString() throws an exception System.Net.Sockets.SocketException - CLR_E_FAIL (1). The specific reason is unknown.

[LoongBa]

Library/API/IoT binding

nanoFramework.Networking.Http

Visual Studio version

VS2022 17.12.3

.NET nanoFramework extension version

2022.12.1.14

Target name(s)

ESP32_REV3

Firmware version

CLR Version: 1.12.1.72

Device capabilities

System Information
HAL build info: nanoCLR running @ ESP32 built with ESP-IDF -128-NOTFOUND
Target: ESP32_REV3
Platform: ESP32

Firmware build Info:
Date: Dec 18 2024
Type: MinSizeRel build, chip rev. >= 3, without support for PSRAM
CLR Version: 1.12.1.72
Compiler: GNU ARM GCC v13.2.0

OEM Product codes (vendor, model, SKU): 0, 0, 0

Target capabilities:
Has nanoBooter: NO
IFU capable: NO

Description

HTTP can be accessed normally at http://www.example.com.
Anomaly occurred when accessing https://www.example.com using HTTPS with unknown reasons.
Test certificates have been configured.
httpClient.GetString()
Runtime exception:

++++ Exception System.Net.Sockets.SocketException - CLR_E_FAIL (1) ++++ ++++ Message: ++++ System.Net.Security.SslNative::SecureConnect [IP: 0000] ++++ ++++ System.Net.Security.SslStream::Authenticate [IP: 0054] ++++ ++++ System.Net.Security.SslStream::AuthenticateAsClient [IP: 000a] ++++ ++++ System.Net.HttpWebRequest::EstablishConnection [IP: 028d] ++++ ++++ System.Net.HttpWebRequest::SubmitRequest [IP: 001a] ++++ ++++ System.Net.HttpWebRequest::GetResponse [IP: 000c] ++++ ++++ System.Net.Http.HttpClientHandler::Send [IP: 00a5] ++++ ++++ System.Net.Http.HttpMessageInvoker::Send [IP: 0013] ++++ ++++ System.Net.Http.HttpClient::Send [IP: 006f] ++++ ++++ System.Net.Http.HttpClient::Get [IP: 000c] ++++ ++++ System.Net.Http.HttpClient::GetString [IP: 0006] ++++ ++++ NFAppTest.Program::Main [IP: 00df] ++++ ++++ Exception System.Net.WebException - 0x00000000 (1) ++++ ++++ Message: GetResponse() failed ++++ System.Net.HttpWebRequest::GetResponse [IP: 00da] ++++ ++++ System.Net.Http.HttpClientHandler::Send [IP: 00a5] ++++ ++++ System.Net.Http.HttpMessageInvoker::Send [IP: 0013] ++++ ++++ System.Net.Http.HttpClient::Send [IP: 006f] ++++ ++++ System.Net.Http.HttpClient::Get [IP: 000c] ++++ ++++ System.Net.Http.HttpClient::GetString [IP: 0006] ++++ ++++ NFAppTest.Program::Main [IP: 00df] ++++ ++++ Exception System.Net.Http.HttpRequestException - 0x00000000 (1) ++++ ++++ Message: An error occurred while sending the request ++++ System.Net.Http.HttpClientHandler::Send [IP: 00bd] ++++ ++++ System.Net.Http.HttpMessageInvoker::Send [IP: 0013] ++++ ++++ System.Net.Http.HttpClient::Send [IP: 006f] ++++ ++++ System.Net.Http.HttpClient::Get [IP: 000c] ++++ ++++ System.Net.Http.HttpClient::GetString [IP: 0006] ++++ ++++ NFAppTest.Program::Main [IP: 00df] ++++

How to reproduce

See the following test code:

1. When accessing the web page using HttpClient, SSL exception:
   Exception System.Net.Sockets.SocketException - CLR_E_FAIL (1)
   For details, please refer to the description.
2. Suspected to be a certificate issue, enabled SslVerification = SslVerification.NoVerification, but it was ineffective;
3. Further, after commenting //SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13, SslVerification.NoVerification took effect, without verifying SSL, the target web page could be accessed.
4. Checked that the validity period range of the local test certificate was normal:
   12/21/2024 02:59:27 < 12/21/2024 10:41:40 < 12/21/2025 02:59:27

Expected behaviour

1. It is hoped to solve the problem of being unable to access the HTTS page, such as making the exception information more clear to determine the cause.
2. Please solve the problem that SslVerification.NoVerification does not work when setting SslProtocols. Thank you.

Screenshots

Sample project or code

public static void Main()
{
CancellationTokenSource cs = new(60000);
var success = WifiNetworkHelper.ConnectDhcp(MySsid, MyPassword, requiresDateTime: true, token: cs.Token);
Debug.WriteLine($"Network address: {NetworkInterface.GetAllNetworkInterfaces()?[0]?.IPv4Address}");

var myCert = new X509Certificate2(myPEMCertString);

//Debug.WriteLine($"---------------- myCert:{certificate.Subject}");
var effectiveDate = myCert.GetEffectiveDate();
var expirationDate = myCert.GetExpirationDate();
var nowTime = DateTime.UtcNow;
if (nowTime < effectiveDate || nowTime > expirationDate) 
    Debug.WriteLine($"**************** Certificate is not valid. {nowTime} not in {effectiveDate} - {expirationDate}");
else
    Debug.WriteLine($"---------------- Certificate is valid. {effectiveDate} < {nowTime} < {expirationDate}");
var httpClient = new HttpClient()
{
    BaseAddress = new Uri($"https://www.example.com/"),
    Timeout = TimeSpan.FromSeconds(5),
    //SslVerification = SslVerification.NoVerification,
    SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13,
    HttpsAuthentCert = myCert,
};
try
{
    var html = httpClient.GetString("");
    Debug.WriteLine($"HTML: {html}");
}
catch (Exception ex)
{
    Debug.WriteLine(ex.Message);
}

Thread.Sleep(Timeout.Infinite);

}

Aditional information

No response

[LoongBa]

Test code:

public static void Main()
{
    CancellationTokenSource cs = new(60000);
    var success = WifiNetworkHelper.ConnectDhcp(MySsid, MyPassword, requiresDateTime: true, token: cs.Token);
    Debug.WriteLine($"Network address: {NetworkInterface.GetAllNetworkInterfaces()?[0]?.IPv4Address}");

    var myCert = new X509Certificate2(myPEMCertString);
    //Debug.WriteLine($"---------------- myCert:{certificate.Subject}");
    var httpClient = new HttpClient()
    {
        BaseAddress = new Uri($"https://www.example.com/"),
        Timeout = TimeSpan.FromSeconds(5),
        //SslVerification = SslVerification.NoVerification,
        //SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13,
        HttpsAuthentCert = myCert,
    };
    try
    {
        var html = httpClient.GetString("");
        Debug.WriteLine($"HTML: {html}");
    }
    catch (Exception ex)
    {
        Debug.WriteLine(ex.Message);
    }

    Thread.Sleep(Timeout.Infinite);
}

[LoongBa]

The following code runs normally with the same certificate:

            var httpWebRequest = (HttpWebRequest)WebRequest.Create("https://www.example.com/");
            httpWebRequest.Method = "GET";
            httpWebRequest.SslProtocols = SslProtocols.Tls12;
            httpWebRequest.HttpsAuthentCert = myCert;
            using (var httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse())
            {
                var sr = new StreamReader(httpWebResponse.GetResponseStream());
                var html = sr.ReadToEnd();

                Debug.WriteLine($">>>>>>>>>>>>> Length:{html.Length}");
                Debug.WriteLine($"{html}");
            }

[josesimoes]

You're mentioning "test certificates" that means that that server you're accessing requires a device certificate for authentication?
What you need to provide to access HTTPS is the root CA certificate for the server. Make sure to check the sample.
As for setting SSL protocols, you should select only one. If the server is capable of TLS1.3, that's what you should set. No need to OR it with TLS1.2.

[LoongBa]

As for setting SSL protocols, you should select only one. If the server is capable of TLS1.3, that's what you should set. No need to OR it with TLS1.2.

Thank you for your reply.
I'm very sorry that my description and test code still have redundant and irrelevant content that interferes with the judgment:
SslProtocols.Tls12 | SslProtocols.Tls13
can be removed without affecting the reproduction of the bug.

Bug 1: When SslVerification = SslVerification.NoVerification was set
and the certificate was configured: HttpsAuthentCert = myCert,
an exception occurred.
Comment out the code for configuring the certificate, and the operation is normal.
Bug 2: With the same certificate, an exception occurred when accessing the same website with HttpClient,
but it was normal when using WebRequest instead.
Therefore, it is speculated that the problem comes from HttpClient.

[josesimoes]

@LoongBa is myCert the root CA certificate? If not you'll get an error, which (obviously) you won't when accessing the same URL without HTTPS.

Can you run succesfully the TSL sample?