{"id":21823476,"url":"https://github.com/f2calv/netcore3bugcheck","last_synced_at":"2026-05-10T03:02:04.211Z","repository":{"id":98598170,"uuid":"203964253","full_name":"f2calv/NetCore3BugCheck","owner":"f2calv","description":".net core 2.2/3.0-preview-8/6.0 SSL security level issue when running from container","archived":false,"fork":false,"pushed_at":"2022-04-19T06:12:55.000Z","size":13,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-03-21T11:36:42.769Z","etag":null,"topics":["alpine","docker","dotnet","dotnetcore","openssl"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f2calv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-23T09:09:04.000Z","updated_at":"2023-05-02T04:30:14.000Z","dependencies_parsed_at":"2023-10-03T23:31:18.264Z","dependency_job_id":null,"html_url":"https://github.com/f2calv/NetCore3BugCheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/f2calv/NetCore3BugCheck","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f2calv%2FNetCore3BugCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f2calv%2FNetCore3BugCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f2calv%2FNetCore3BugCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f2calv%2FNetCore3BugCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f2calv","download_url":"https://codeload.github.com/f2calv/NetCore3BugCheck/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f2calv%2FNetCore3BugCheck/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267807917,"owners_count":24147352,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine","docker","dotnet","dotnetcore","openssl"],"created_at":"2024-11-27T17:32:19.349Z","updated_at":"2026-05-10T03:01:59.188Z","avatar_url":"https://github.com/f2calv.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSL Handshake failed with OpenSSL error\n\nThis is a demo repository replicating OpenSSL security level issues/solutions when connecting to a downlevel SSL certificate (i.e. low TLS version) from a .NET application running in a Linux container.\n\nFor the full thread see [see Github issue 40538](https://github.com/dotnet/corefx/issues/40538).\n\n## Conclusion\n\nThe Debian Buster image has raised the OpenSSL TLS security level to 2.\nAdding the below to the Dockerfile in the .NET Core 3.0 app downlevels the OpenSSL TLS security level to 1, which is a level then compatible with the current Oanda SSL certificate on (https://api-fxpractice.oanda.com);\n\n```dockerfile\nRUN sed 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf \u003e /etc/ssl/openssl.cnf.changed \\\n   \u0026\u0026 mv /etc/ssl/openssl.cnf.changed /etc/ssl/openssl.cnf\n```\n\n## .NET 6.0 Update _2022-04-19_\n\n.NET 6.0 Docker builds worked just fine with the above command for the first 6-months of the .NET 6.0 release cycle using a final build image of _mcr.microsoft.com/dotnet/aspnet:6.0-alpine_ however in March/April 2022 I discovered the builds started to fail with the following;\n\n```dockerfile\nStep 8/20 : RUN sed 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf \u003e /etc/ssl/openssl.cnf.changed      \u0026\u0026 mv /etc/ssl/openssl.cnf.changed /etc/ssl/openssl.cnf\n ---\u003e Running in 4faf4e25e9ba\nsed: /etc/ssl/openssl.cnf: No such file or directory\nThe command '/bin/sh -c sed 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf \u003e /etc/ssl/openssl.cnf.changed  \u0026\u0026 mv /etc/ssl/openssl.cnf.changed /etc/ssl/openssl.cnf' returned a non-zero code: 1\n```\n\nThe default `/etc/ssl/openssl.cnf` file had _been removed_ from the ASP.NET 6.0 Alpine image. On 2022-03-22 there was an [OpenSSL announcement on Debian.org](https://www.debian.org/News/2022/2022032602) regarding various relevant updates.\n\nLong story short I sacrificed using the smaller image and changed to using the vanilla/non-alpine base image _mcr.microsoft.com/dotnet/aspnet:6.0_ and then the build works again as expected.\n\n...then I discovered the SSL certificate on my desired destination URI had been updated anyway so I was able to remove the above :)\n\nThis repository sill serves as an example of how to handle connecting to downlevel SSL certificates.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff2calv%2Fnetcore3bugcheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff2calv%2Fnetcore3bugcheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff2calv%2Fnetcore3bugcheck/lists"}