C# 无法创建SSL/TLS安全通道,因为合作伙伴Web服务使用System.Net和客户端证书身份验证进行升级
我们有一个应用程序,用于调用由SSL客户端证书保护的Web服务。我们的合作伙伴升级了他们的网关,由于这次升级,我们无法再调用他们的web服务 这是以前使用的c代码C# 无法创建SSL/TLS安全通道,因为合作伙伴Web服务使用System.Net和客户端证书身份验证进行升级,c#,.net,ssl,client-certificates,system.net,C#,.net,Ssl,Client Certificates,System.net,我们有一个应用程序,用于调用由SSL客户端证书保护的Web服务。我们的合作伙伴升级了他们的网关,由于这次升级,我们无法再调用他们的web服务 这是以前使用的c代码 ServicePointManager.ServerCertificateValidationCallback = (s, c, h, p) => { return true; }; ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
ServicePointManager.ServerCertificateValidationCallback = (s, c, h, p) => { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var req = (HttpWebRequest)WebRequest.Create(requestUrl);
req.Method = "POST";
req.ContentType = "application/json";
req.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
req.ClientCertificates.Add(new X509Certificate2(CertificatePath, Password));
var byteContent = Encoding.UTF8.GetBytes(content);
req.ContentLength = byteContent.Length;
req.Proxy = new WebProxy("***PROXY-URL***");
req.AllowAutoRedirect = true;
using (var requestStream = req.GetRequestStream())//Exception here:
以下是System.Net跟踪:
System.Net Information: 0 : [5564] Current OS installation type is 'Server'.
System.Net Verbose: 0 : [5564] Entering WebRequest::Create(***WEBSERVICEURL***)
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#16639474::HttpWebRequest(***WEBSERVICEURL***#100646014)
System.Net Information: 0 : [5564] RAS supported: True
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#16639474::HttpWebRequest()
System.Net Verbose: 0 : [5564] Exiting WebRequest::Create() -> HttpWebRequest#16639474
System.Net Verbose: 0 : [5564] Entering ServicePoint#5620158::ServicePoint(***PROXYURL***)
System.Net Information: 0 : [5564] Associating HttpWebRequest#16639474 with ServicePoint#5620158
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#16639474::GetRequestStream()
System.Net Information: 0 : [5564] Associating Connection#52579650 with HttpWebRequest#16639474
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#3454809::HttpWebRequest(***PROXYURL***/#589308768)
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#3454809::HttpWebRequest()
System.Net Verbose: 0 : [5564] Entering ServicePoint#31093287::ServicePoint(***PROXYURL***)
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ServicePoint#31093287
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#3454809::GetResponse()
System.Net Information: 0 : [5564] Associating Connection#11404133 with HttpWebRequest#3454809
System.Net Information: 0 : [5564] Connection#11404133 - Created connection from ***MY-IP***:56660 to ***PROXY-IP***.
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ConnectStream#35528341
System.Net Information: 0 : [5564] HttpWebRequest#3454809 - Request: CONNECT ***WEBSERVICE-HOST***:443 HTTP/1.1
System.Net Information: 0 : [5564] ConnectStream#35528341 - Sending headers
{
Host: ***WEBSERVICE-HOST***
Proxy-Connection: Keep-Alive
}.
System.Net Information: 0 : [5564] Connection#11404133 - Received status line: Version=1.1, StatusCode=200, StatusDescription=Connection established.
System.Net Information: 0 : [5564] Connection#11404133 - Received headers
{
}.
System.Net Information: 0 : [5564] ConnectStream#51319614::ConnectStream(Buffered -1 bytes.)
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ConnectStream#51319614
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with HttpWebResponse#59223347
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#3454809::GetResponse() -> HttpWebResponse#59223347
System.Net Verbose: 0 : [5564] Entering HttpWebResponse#59223347::GetResponseStream()
System.Net Information: 0 : [5564] ContentLength=-1
System.Net Verbose: 0 : [5564] Exiting HttpWebResponse#59223347::GetResponseStream() -> ConnectStream#51319614
System.Net Information: 0 : [5564] TlsStream#63248075::.ctor(host=***WEBSERVICE-HOST***, #certs=1, checkCertificateRevocationList=False, sslProtocols=Tls12)
System.Net Information: 0 : [5564] Associating HttpWebRequest#16639474 with ConnectStream#32361769
System.Net Information: 0 : [5564] HttpWebRequest#16639474 - Request: POST /WebServiceTarification/v1/Calcul HTTP/1.1
System.Net Information: 0 : [5564] ConnectStream#32361769 - Sending headers
{
Content-Type: application/json
Host: ***WEBSERVICE-HOST***
Content-Length: 686
Expect: 100-continue
Connection: Keep-Alive
}.
System.Net Information: 0 : [5564] SecureChannel#22820469::.ctor(hostname=***WEBSERVICE-HOST***, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] Enumerating security packages:
System.Net Information: 0 : [5564] Negotiate
System.Net Information: 0 : [5564] NegoExtender
System.Net Information: 0 : [5564] Kerberos
System.Net Information: 0 : [5564] NTLM
System.Net Information: 0 : [5564] Schannel
System.Net Information: 0 : [5564] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [5564] WDigest
System.Net Information: 0 : [5564] TSSSP
System.Net Information: 0 : [5564] pku2u
System.Net Information: 0 : [5564] CREDSSP
System.Net Information: 0 : [5564] SecureChannel#22820469 - Attempting to restart the session using the user-provided certificate: [Version]
V1
[Subject]
E=***WS-EMAIL***, CN=***MY-COMPANY***, OU=***SOME-WS-OU***, O=***SOME-WS-O***, L=Bruxelles, S=Bruxelles, C=BE
Simple Name: ***MY-COMPANY***
Email Name: ***WS-EMAIL***
DNS Name: ***MY-COMPANY***
[Issuer]
E=***WS-EMAIL***, CN=***SOME-WS-COMPANY-HOSTNAME***, OU=***SOME-WS-OU***, O=***SOME-WS-O***, L=Bruxelles, S=Bruxelles, C=BE
Simple Name: ***SOME-WS-COMPANY-HOSTNAME***
Email Name: ***WS-EMAIL***
DNS Name: ***SOME-WS-COMPANY-HOSTNAME***
[Serial Number]
***SERIALNUMBER**
[Not Before]
7/5/2016 11:39:44 AM
[Not After]
7/3/2026 11:39:44 AM
[Thumbprint]
***THUMBPRINT**
[Signature Algorithm]
sha512RSA(1.2.840.113549.1.1.13)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: ***KEYBLOB**
System.Net Information: 0 : [5564] SecureChannel#22820469 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Locating the private key for the certificate:
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5564] SecureChannel#22820469::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=198, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5564] SecureChannel#22820469 - We have user-provided certificates. The server has not specified any issuers, so try all the certificates.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Selected certificate:
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Locating the private key for the certificate:
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5564] SecureChannel#22820469::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=189, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [5564] Exception in HttpWebRequest#16639474:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [5564] Exception in HttpWebRequest#16639474::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..
我在Windows Server 2012上使用.Net 4.6.2,但我可以用.Net Core 2.2复制它
根据我在wireshark中看到的情况,代码似乎不再发送客户端证书,即使它是在证书存储中配置的。谢谢你的帮助
编辑:
通过使用TLS 1.1而不是TLS 1.2,我成功地实现了这一目标:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;
但问题仍然存在,为什么它不能与TLS 1.2一起工作,我有以下错误消息:
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
我猜这与TLS版本有关。当他们升级他们的网关时,他们很可能停止支持某些版本。@Peter4499我使用的是Tls12,应该足够新了。我尝试过ServicePointManager.SecurityProtocol=SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;和SecurityProtocolType.SystemDefault,但我仍然有相同的错误。我应该使用哪一个值?您是否会丢失?默认情况下,TLS 1.2的SHA512处于关闭状态。考虑在您的客户端证书中使用Sa256,因为不是所有系统都理解“Sa512.@ JessedeWit”,因为我理解的是SK512的支持是KB 2975331的一部分。我在我的机器上运行了“wmic qfe get hotfixid | find”KB2975331”,它似乎已安装。您的证书是否具有MD5签名?
PrivateKey
属性是否非空?您是否尝试过使用X509Store
?