C# TLS/SSL with HttpListener ERR_CONNECTION_REFUSED

%3CLINGO-SUB%20id%3D%22lingo-sub-3009962%22%20slang%3D%22en-US%22%3EC%23%20TLS%2FSSL%20with%20HttpListener%20ERR_CONNECTION_REFUSED%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3009962%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20I%20have%20followed%20the%20necessary%20steps%20to%20spin%20up%20an%20HttpListener%20(C%23)%2C%20generate%20a%20self%20signed%20certificate%2C%20install%20the%20certificate%20into%20the%20certificate%20store%2C%20bind%20the%20certificate%20to%20the%20port%20and%20register%20the%20URL%20via%20netsh.%20However%2C%20at%20this%20point%20in%20time%2C%20my%20non-ssl%2Ftls%20URL%20is%20working%20perfectly%20fine%2C%20but%20the%20HTTPS%20url%20is%20simply%20returning%20a%20connection%20refused%20error.%3C%2FP%3E%3CP%3EMy%20steps%3A%3C%2FP%3E%3COL%3E%3CLI%3EHttps%20Listener%20with%20all%20prefixes%20added%20(both%20for%20http%20and%20https)%3C%2FLI%3E%3CLI%3ESelf%20signed%20certificate%20generated%20using%3C%2FLI%3E%3C%2FOL%3E%3CBLOCKQUOTE%3E%3CP%3Emakecert%20-r%20-pe%20-n%20%22CN%3Dmysubdomain.mydomain.co.za%22%20-sky%20exchange%20test.cer%20-sv%20test.pvk%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3COL%3E%3CLI%3EConversion%20of%20certificate%20to%20PFX%20(so%20private%20key%20is%20included%20when%20installing%20into%20cert%20store)%3C%2FLI%3E%3C%2FOL%3E%3CBLOCKQUOTE%3E%3CP%3E%22C%3A%5CProgram%20Files%20(x86)%5CWindows%20Kits%5C10%5Cbin%5C10.0.22000.0%5Cx64%5Cpvk2pfx.exe%22%20-pvk%20test.pvk%20-spc%20test.cer%20-pfx%20test.pfx%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3COL%3E%3CLI%3E%3CP%3EInstalling%20certificate%20via%20MMC%20(Certificate%20Snap%20In)%20into%20both%20Personal%20Store%20and%20Trusted%20Root%20Certification%20Authorities.%20It%20clearly%20shows%20%22%20You%20have%20a%20private%20key%20that%20corresponds%20to%20this%20certificate%22%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ERegistering%20the%20HTTP%20and%20HTTPS%20urls%20via%20commandline%20NETSH.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EBinding%20the%20certificate%20to%20the%20port%20using%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CBLOCKQUOTE%3E%3CP%3Enetsh%20http%20add%20sslcert%20ipport%3D0.0.0.0%3A8483%20certhash%3D0bb6fec9fb940d4d5733cffa5108fa48f3d546b3%20appid%3D%7BD288F4CC-22B2-4F5C-86D8-CB23AB90F6CF%7D%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3Eboth%20appid%20and%20certhash%20is%20correct.%20*use%20to%20get%20and%20error%20due%20to%20not%20having%20the%20private%20key%20imbedded%20into%20the%20certificate.%3C%2FP%3E%3CP%3EMy%20verifications%3A%3C%2FP%3E%3COL%3E%3CLI%3EChecking%20urlacl%20http%20via%3C%2FLI%3E%3C%2FOL%3E%3CBLOCKQUOTE%3E%3CP%3Enetsh%20http%20show%20urlacl%20%7C%20findstr%208483%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3Eyields%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EReserved%20URL%20%3A%20https%3A%2F%2F%2B%3A8483%2Fmyurlpath%2F%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3COL%3E%3CLI%3EChecking%20certificate%20via%3C%2FLI%3E%3C%2FOL%3E%3CBLOCKQUOTE%3E%3CP%3Enetsh%20http%20show%20sslcert%20%7C%20findstr%208483%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3Eyields%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EIP%3Aport%20%3A%200.0.0.0%3A8483%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3Eor%20more%20specifically%3C%2FP%3E%3CPRE%3E%20IP%3Aport%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%3CSPAN%20class%3D%22%22%3E0.0%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.0%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.0%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22%22%3E8483%3C%2FSPAN%3E%0ACertificate%20Hash%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%3CSPAN%20class%3D%22%22%3E0b%3C%2FSPAN%3Eb6fec9fb940d4d5733cffa5108fa48f3d546b3%0AApplication%20ID%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%7Bd288f4cc%3CSPAN%20class%3D%22%22%3E-22b%3C%2FSPAN%3E2%3CSPAN%20class%3D%22%22%3E-4f%3C%2FSPAN%3E5c%3CSPAN%20class%3D%22%22%3E-86%3C%2FSPAN%3Ed8-cb23ab90f6cf%7D%0ACertificate%20Store%20Name%20%20%20%20%20%20%20%3A%20(%3CSPAN%20class%3D%22%22%3Enull%3C%2FSPAN%3E)%0AVerify%20Client%20Certificate%20Revocation%20%3A%20Enabled%0AVerify%20Revocation%20Using%20Cached%20Client%20Certificate%20Only%20%3A%20Disabled%0AUsage%20Check%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Enabled%0ARevocation%20Freshness%20Time%20%20%20%20%3A%20%3CSPAN%20class%3D%22%22%3E0%3C%2FSPAN%3E%0AURL%20Retrieval%20Timeout%20%20%20%20%20%20%20%20%3A%20%3CSPAN%20class%3D%22%22%3E0%3C%2FSPAN%3E%0ACtl%20Identifier%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20(%3CSPAN%20class%3D%22%22%3Enull%3C%2FSPAN%3E)%0ACtl%20Store%20Name%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20(%3CSPAN%20class%3D%22%22%3Enull%3C%2FSPAN%3E)%0ADS%20Mapper%20Usage%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Disabled%0ANegotiate%20Client%20Certificate%20%3A%20Disabled%0AReject%20Connections%20%20%20%20%20%20%20%20%20%20%20%3A%20Disabled%0ADisable%20HTTP2%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Not%20Set%0ADisable%20QUIC%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Not%20Set%0ADisable%20TLS1%3CSPAN%20class%3D%22%22%3E.2%3C%2FSPAN%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Not%20Set%0ADisable%20TLS1%3CSPAN%20class%3D%22%22%3E.3%3C%2FSPAN%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Not%20Set%0ADisable%20OCSP%20Stapling%20%20%20%20%20%20%20%20%3A%20Not%20Set%0AEnable%20Token%20Binding%20%20%20%20%20%20%20%20%20%3A%20Not%20Set%0ALog%20Extended%20Events%20%20%20%20%20%20%20%20%20%20%3A%20Not%20Set%0ADisable%20Legacy%20TLS%20Versions%20%20%3A%20Not%20Set%0AEnable%20Session%20Ticket%20%20%20%20%20%20%20%20%3A%20Not%20Set%3C%2FPRE%3E%3CP%3EI%20would%20greatly%20appreciate%20some%20assistance%20in%20identifying%20what%20I've%20missed.%3C%2FP%3E%3CP%3EMy%20expectation%20is%20that%20the%20URL%20is%20registered%2C%20the%20CERTIFICATE%20has%20been%20imported%20and%20bound%20to%20the%20port%20and%20that%20HTTPListener%20is%20starting%20up%20using%20a%20registered%20URL%20-%20however%20my%20error%20is%20ERR_CONNECTION_REFUSED%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3009962%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E.NET%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

I believe I have followed the necessary steps to spin up an HttpListener (C#), generate a self signed certificate, install the certificate into the certificate store, bind the certificate to the port and register the URL via netsh. However, at this point in time, my non-ssl/tls URL is working perfectly fine, but the HTTPS url is simply returning a connection refused error.

My steps:

  1. Https Listener with all prefixes added (both for http and https)
  2. Self signed certificate generated using

makecert -r -pe -n "CN=mysubdomain.mydomain.co.za" -sky exchange test.cer -sv test.pvk

  1. Conversion of certificate to PFX (so private key is included when installing into cert store)

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\pvk2pfx.exe" -pvk test.pvk -spc test.cer -pfx test.pfx

  1. Installing certificate via MMC (Certificate Snap In) into both Personal Store and Trusted Root Certification Authorities. It clearly shows " You have a private key that corresponds to this certificate"

  2. Registering the HTTP and HTTPS urls via commandline NETSH.

  3. Binding the certificate to the port using

netsh http add sslcert ipport=0.0.0.0:8483 certhash=0bb6fec9fb940d4d5733cffa5108fa48f3d546b3 appid={D288F4CC-22B2-4F5C-86D8-CB23AB90F6CF}

both appid and certhash is correct. *use to get and error due to not having the private key imbedded into the certificate.

My verifications:

  1. Checking urlacl http via

netsh http show urlacl | findstr 8483

yields

Reserved URL : https://+:8483/myurlpath/

  1. Checking certificate via

netsh http show sslcert | findstr 8483

yields

IP:port : 0.0.0.0:8483

or more specifically

 IP:port                      : 0.0.0.0:8483
Certificate Hash             : 0bb6fec9fb940d4d5733cffa5108fa48f3d546b3
Application ID               : {d288f4cc-22b2-4f5c-86d8-cb23ab90f6cf}
Certificate Store Name       : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled
Reject Connections           : Disabled
Disable HTTP2                : Not Set
Disable QUIC                 : Not Set
Disable TLS1.2               : Not Set
Disable TLS1.3               : Not Set
Disable OCSP Stapling        : Not Set
Enable Token Binding         : Not Set
Log Extended Events          : Not Set
Disable Legacy TLS Versions  : Not Set
Enable Session Ticket        : Not Set

I would greatly appreciate some assistance in identifying what I've missed.

My expectation is that the URL is registered, the CERTIFICATE has been imported and bound to the port and that HTTPListener is starting up using a registered URL - however my error is ERR_CONNECTION_REFUSED

0 Replies