我们有一个用于调用受SSL客户端证书保护的网络服务的应用程序。我们的合作伙伴升级了其网关,并且由于此升级,我们无法再调用其Web服务。
这里是曾经使用过的c#代码
ServicePointManager.ServerCertificateValidationCallback = (s, c, h, p) => { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var req = (HttpWebRequest)WebRequest.Create(requestUrl);
req.Method = "POST";
req.ContentType = "application/json";
req.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
req.ClientCertificates.Add(new X509Certificate2(CertificatePath, Password));
var byteContent = Encoding.UTF8.GetBytes(content);
req.ContentLength = byteContent.Length;
req.Proxy = new WebProxy("***PROXY-URL***");
req.AllowAutoRedirect = true;
using (var requestStream = req.GetRequestStream())//Exception here:
这里是System.Net跟踪:
System.Net Information: 0 : [5564] Current OS installation type is 'Server'.
System.Net Verbose: 0 : [5564] Entering WebRequest::Create(***WEBSERVICEURL***)
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#16639474::HttpWebRequest(***WEBSERVICEURL***#100646014)
System.Net Information: 0 : [5564] RAS supported: True
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#16639474::HttpWebRequest()
System.Net Verbose: 0 : [5564] Exiting WebRequest::Create() -> HttpWebRequest#16639474
System.Net Verbose: 0 : [5564] Entering ServicePoint#5620158::ServicePoint(***PROXYURL***)
System.Net Information: 0 : [5564] Associating HttpWebRequest#16639474 with ServicePoint#5620158
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#16639474::GetRequestStream()
System.Net Information: 0 : [5564] Associating Connection#52579650 with HttpWebRequest#16639474
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#3454809::HttpWebRequest(***PROXYURL***/#589308768)
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#3454809::HttpWebRequest()
System.Net Verbose: 0 : [5564] Entering ServicePoint#31093287::ServicePoint(***PROXYURL***)
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ServicePoint#31093287
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#3454809::GetResponse()
System.Net Information: 0 : [5564] Associating Connection#11404133 with HttpWebRequest#3454809
System.Net Information: 0 : [5564] Connection#11404133 - Created connection from ***MY-IP***:56660 to ***PROXY-IP***.
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ConnectStream#35528341
System.Net Information: 0 : [5564] HttpWebRequest#3454809 - Request: CONNECT ***WEBSERVICE-HOST***:443 HTTP/1.1
System.Net Information: 0 : [5564] ConnectStream#35528341 - Sending headers
{
Host: ***WEBSERVICE-HOST***
Proxy-Connection: Keep-Alive
}.
System.Net Information: 0 : [5564] Connection#11404133 - Received status line: Version=1.1, StatusCode=200, StatusDescription=Connection established.
System.Net Information: 0 : [5564] Connection#11404133 - Received headers
{
}.
System.Net Information: 0 : [5564] ConnectStream#51319614::ConnectStream(Buffered -1 bytes.)
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ConnectStream#51319614
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with HttpWebResponse#59223347
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#3454809::GetResponse() -> HttpWebResponse#59223347
System.Net Verbose: 0 : [5564] Entering HttpWebResponse#59223347::GetResponseStream()
System.Net Information: 0 : [5564] ContentLength=-1
System.Net Verbose: 0 : [5564] Exiting HttpWebResponse#59223347::GetResponseStream() -> ConnectStream#51319614
System.Net Information: 0 : [5564] TlsStream#63248075::.ctor(host=***WEBSERVICE-HOST***, #certs=1, checkCertificateRevocationList=False, sslProtocols=Tls12)
System.Net Information: 0 : [5564] Associating HttpWebRequest#16639474 with ConnectStream#32361769
System.Net Information: 0 : [5564] HttpWebRequest#16639474 - Request: POST /WebServiceTarification/v1/Calcul HTTP/1.1
System.Net Information: 0 : [5564] ConnectStream#32361769 - Sending headers
{
Content-Type: application/json
Host: ***WEBSERVICE-HOST***
Content-Length: 686
Expect: 100-continue
Connection: Keep-Alive
}.
System.Net Information: 0 : [5564] SecureChannel#22820469::.ctor(hostname=***WEBSERVICE-HOST***, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] Enumerating security packages:
System.Net Information: 0 : [5564] Negotiate
System.Net Information: 0 : [5564] NegoExtender
System.Net Information: 0 : [5564] Kerberos
System.Net Information: 0 : [5564] NTLM
System.Net Information: 0 : [5564] Schannel
System.Net Information: 0 : [5564] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [5564] WDigest
System.Net Information: 0 : [5564] TSSSP
System.Net Information: 0 : [5564] pku2u
System.Net Information: 0 : [5564] CREDSSP
System.Net Information: 0 : [5564] SecureChannel#22820469 - Attempting to restart the session using the user-provided certificate: [Version]
V1
[Subject]
E=***WS-EMAIL***, CN=***MY-COMPANY***, OU=***SOME-WS-OU***, O=***SOME-WS-O***, L=Bruxelles, S=Bruxelles, C=BE
Simple Name: ***MY-COMPANY***
Email Name: ***WS-EMAIL***
DNS Name: ***MY-COMPANY***
[Issuer]
E=***WS-EMAIL***, CN=***SOME-WS-COMPANY-HOSTNAME***, OU=***SOME-WS-OU***, O=***SOME-WS-O***, L=Bruxelles, S=Bruxelles, C=BE
Simple Name: ***SOME-WS-COMPANY-HOSTNAME***
Email Name: ***WS-EMAIL***
DNS Name: ***SOME-WS-COMPANY-HOSTNAME***
[Serial Number]
***SERIALNUMBER**
[Not Before]
7/5/2016 11:39:44 AM
[Not After]
7/3/2026 11:39:44 AM
[Thumbprint]
***THUMBPRINT**
[Signature Algorithm]
sha512RSA(1.2.840.113549.1.1.13)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: ***KEYBLOB**
System.Net Information: 0 : [5564] SecureChannel#22820469 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Locating the private key for the certificate:
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5564] SecureChannel#22820469::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=198, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5564] SecureChannel#22820469 - We have user-provided certificates. The server has not specified any issuers, so try all the certificates.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Selected certificate:
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Locating the private key for the certificate:
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5564] SecureChannel#22820469::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=189, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [5564] Exception in HttpWebRequest#16639474:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [5564] Exception in HttpWebRequest#16639474::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..
我在Windows Server 2012上使用.Net 4.6.2,但可以在.Net Core 2.2上重现它。
根据我在wireshark中看到的内容,即使该代码在证书存储中进行了配置,该代码似乎也不再发送客户端证书。感谢您的帮助。
编辑:我设法通过使用TLS 1.1而不是TLS 1.2使其起作用。:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;
但是问题仍然存在,为什么它不适用于TLS 1.2,并且出现此错误消息:
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
这里有进展吗?我们有同样的问题,但是我们的证书是sha256RSA,2048位。