I recently upgraded my project from .NET 8 to .NET 9, and my WebSocket Secure (WSS) server has stopped working. The same code works perfectly fine in .NET 8, but after the upgrade, it fails to establish a secure connection.

Here is the relevant part of my code:

public WebSocketServer wssv = new WebSocketServer("wss://127.0.0.1:5963");

X509Certificate2 certificate = new X509Certificate2("path_to_cer");
using (X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser))
{
    store.Open(OpenFlags.ReadWrite);

    if (!store.Certificates.Contains(certificate))
        store.Add(certificate);
}

X509Certificate2 cert = new X509Certificate2("path_to_pfx", "1", X509KeyStorageFlags.MachineKeySet);

wssv.SslConfiguration.ServerCertificate = new X509Certificate2(cert);
wssv.SslConfiguration.CheckCertificateRevocation = false;
wssv.SslConfiguration.ClientCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
wssv.SslConfiguration.EnabledSslProtocols |= SslProtocols.Tls12 | SslProtocols.Tls13;
wssv.AddWebSocketService<WebSocketService>("/");
wssv.KeepClean = false;
wssv.Start();

Problem description

• In .NET 8, this code successfully starts a WSS server and allows secure WebSocket connections
• After upgrading to .NET 9, the server fails to establish a secure connection. Clients attempting to connect receive errors related to SSL/TLS handshake failures
• I have verified that:
  • The certificate (path_to_pfx) is valid and not expired
  • The private key is accessible, and the certificate is correctly added to the CurrentUser\Root store
  • The port 5963 is open and not blocked by a firewall

Questions

1. Are there any breaking changes in .NET 9 related to SSL/TLS or WebSocket secure connections?
2. Could the issue be related to how certificates are handled in .NET 9? If so, what changes should I make to my code?
3. Is there a way to debug SSL/TLS handshake failures in more detail to pinpoint the root cause?

Any help or guidance would be greatly appreciated!

Additional notes

• The WebSocket library I am using is WebSocketSharp
• The operating system is Windows 11
• The certificate is self-signed and used only for local development purposes

I recently upgraded my project from .NET 8 to .NET 9, and my WebSocket Secure (WSS) server has stopped working. The same code works perfectly fine in .NET 8, but after the upgrade, it fails to establish a secure connection.

Here is the relevant part of my code:

public WebSocketServer wssv = new WebSocketServer("wss://127.0.0.1:5963");

X509Certificate2 certificate = new X509Certificate2("path_to_cer");
using (X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser))
{
    store.Open(OpenFlags.ReadWrite);

    if (!store.Certificates.Contains(certificate))
        store.Add(certificate);
}

X509Certificate2 cert = new X509Certificate2("path_to_pfx", "1", X509KeyStorageFlags.MachineKeySet);

wssv.SslConfiguration.ServerCertificate = new X509Certificate2(cert);
wssv.SslConfiguration.CheckCertificateRevocation = false;
wssv.SslConfiguration.ClientCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
wssv.SslConfiguration.EnabledSslProtocols |= SslProtocols.Tls12 | SslProtocols.Tls13;
wssv.AddWebSocketService<WebSocketService>("/");
wssv.KeepClean = false;
wssv.Start();

Problem description

• In .NET 8, this code successfully starts a WSS server and allows secure WebSocket connections
• After upgrading to .NET 9, the server fails to establish a secure connection. Clients attempting to connect receive errors related to SSL/TLS handshake failures
• I have verified that:
  • The certificate (path_to_pfx) is valid and not expired
  • The private key is accessible, and the certificate is correctly added to the CurrentUser\Root store
  • The port 5963 is open and not blocked by a firewall

Questions

1. Are there any breaking changes in .NET 9 related to SSL/TLS or WebSocket secure connections?
2. Could the issue be related to how certificates are handled in .NET 9? If so, what changes should I make to my code?
3. Is there a way to debug SSL/TLS handshake failures in more detail to pinpoint the root cause?

Any help or guidance would be greatly appreciated!

Additional notes

• The WebSocket library I am using is WebSocketSharp
• The operating system is Windows 11
• The certificate is self-signed and used only for local development purposes

• c#
• websocket
• -9.0

1 Answer 1

Regarding debugging TLS Handshake failures there are a few good posts already on Stack Overflow - this one is good : Debugging failing HTTPS WebRequest

It also links to this very helpful post from Microsoft in the comments : https://learn.microsoft/en-us/dotnet/framework/network-programming/how-to-configure-network-tracing

One other thing you can do is to change this line of your code:

wssv.SslConfiguration.ClientCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

To put a breakpoint in it - so change to something like:

wssv.SslConfiguration.ClientCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => {

    // ideally change this code to not blindly return true, but validate what 
    // it is possible to validate - to completely bypass validation isn't ideal

    // put a breakpoint on the below statement
    return true;
};

That will tell you at least if you are getting as far as the cert validation callback, and let you inspect the values if it is - especially sslPolicyErrors

Hopefully the above will help you understand what's going on in more detail. HTH, Nick