无法从python的传输连接-C#端口读取数据
我正在尝试移植到C#.NET Core 3.1。我运行的是Windows10x64(Build19041)。链接的github项目包含一个(安全的)测试web服务器沙箱,您可以根据该沙箱以及一些客户端和服务器测试自我证书进行开发 我对python(或SSL/TLS)不是很熟悉,但我可以无法从python的传输连接-C#端口读取数据,python,c#,ssl,.net-core,Python,C#,Ssl,.net Core,我正在尝试移植到C#.NET Core 3.1。我运行的是Windows10x64(Build19041)。链接的github项目包含一个(安全的)测试web服务器沙箱,您可以根据该沙箱以及一些客户端和服务器测试自我证书进行开发 我对python(或SSL/TLS)不是很熟悉,但我可以 运行项目中包含的测试套件,包括启动和停止包含的测试服务器 启动测试服务器,然后使用包含的客户端证书/密钥/etc成功地对其进行cUrl(只要我指示cUrl不要检查证书吊销) 如果对测试服务器运行python实用程
class Program
{
private const string Thumbprint = "37af35e3f13c65ea0d7bbad148332924a1ce41d7";
private const string MailBox = "alice";
private const int Port = 8000;
private const string BaseAddress = "127.0.0.1";
private static HttpClient _client = null;
public static void Main(string[] args)
{
ConfigureHttpClient();
var response = Handshake();
Console.WriteLine($"Handshake succeeded: {response.StatusCode == HttpStatusCode.OK}");
}
private static HttpResponseMessage Handshake()
{
var uri = new Uri($"https://{BaseAddress}:{Port}/messageexchange/{MailBox}");
var response = _client.PostAsync(uri, null);
return response.Result;
}
private static void ConfigureHttpClient()
{
var handler = new HttpClientHandler
{
ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; },
CheckCertificateRevocationList = false,
SslProtocols = SslProtocols.Tls13
| SslProtocols.Tls12
| SslProtocols.Tls11
| SslProtocols.Tls
};
var certificate = GetCertificateByThumbprint(Thumbprint);
handler.ClientCertificates.Add(certificate);
_client = new HttpClient(handler);
}
//Returns a certificate by searching through all likely places
private static X509Certificate2 GetCertificateByThumbprint(string thumbprint)
{
X509Certificate2 certificate;
//foreach likely certificate store name
foreach (var name in new[] { StoreName.My, StoreName.Root })
{
//foreach store location
foreach (var location in new[] { StoreLocation.CurrentUser, StoreLocation.LocalMachine })
{
//see if the certificate is in this store name and location
certificate = FindThumbprintInStore(thumbprint, name, location);
if (certificate != null)
{
//return the resulting certificate
return certificate;
}
}
}
//certificate was not found
throw new Exception(string.Format("The certificate with thumbprint {0} was not found", thumbprint));
}
private static X509Certificate2 FindThumbprintInStore(string thumbprint,
StoreName name, StoreLocation location)
{
//creates the store based on the input name and location e.g. name=My
var certStore = new X509Store(name, location);
certStore.Open(OpenFlags.ReadOnly);
//finds the certificate in question in this store
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint,
thumbprint, false);
certStore.Close();
if (certCollection.Count > 0)
{
//if it is found return
return certCollection[0];
}
else
{
//if the certificate was not found return null
return null;
}
}
}
这是完整的错误堆栈
System.AggregateException HResult=0x80131500消息=一个或多个
出现了错误。(发送请求时出错。)Source=System.Private.CoreLib StackTrace:at System.Threading.Tasks.Task.ThrowifeException(布尔值 includeTaskCanceledExceptions)位于 System.Threading.Tasks.Task
1.GetResultCore(布尔waitCompletionNotification)位于System.Threading.Tasks.Task
1.get_Result()位于
C:\Users…\IfxMeshClient\Program.cs中的IfxMeshClient.Program.Handshake():第41行
C:\Users…\IfxMeshClient\Program.cs中的IfxMeshClient.Program.Main(字符串[]args):第32行
内部异常1:HttpRequestException:运行时出错
发送请求
内部异常2:IOException:无法从传输读取数据
连接:中的软件中止了已建立的连接
您的主机
内部异常3:SocketException:已建立连接
被主机中的软件中止
编辑:我只是想添加sslyze的输出,因为我想知道它是否可能是密码不匹配,但这些密码似乎在我的win10版本中可用
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 3 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
The server is configured to prefer the following cipher suite:
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
编辑1:不太确定如何处理Fiddler输出。我不确定它是否混淆了事情,因为它引用了TLS12,然后建议支持的版本是TLS13
CONNECT 127.0.0.1:52985 HTTP/1.1
Host: 127.0.0.1:52985
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: F7 09 8F A8 9A 72 AF 33 93 29 90 48 E4 A2 E2 09 CE BD 7E 27 94 0A C9 53 D4 54 6C 35 0B DF E2 E9
"Time": 12/08/2059 21:41:27
SessionID: empty
Extensions:
supported_versions Tls1.3
signature_algs rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_sha1, dsa_sha1, rsa_pkcs1_sha512, ecdsa_secp521r1_sha512
supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18]
key_share 00 24 00 1D 00 20 95 34 AC 4A A5 6C D8 24 CD 50 29 2E F8 27 B4 59 D7 2C D8 C0 79 7B 14 79 B2 E8 28 6F 36 DE D4 48
post_handshake_auth
extended_master_secret empty
renegotiation_info 00
psk_key_exchange_modes 01 01
Ciphers:
[1302] TLS_AES_256_GCM_SHA384
[1301] TLS_AES_128_GCM_SHA256
...
反应是
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 13:21:35.087
Connection: close
fiddler.network.https> HTTPS handshake to 127.0.0.1 (for #6) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted
Win32 (SChannel) Native Error Code: 0x80090326
只是说,我的问题似乎是,尽管我已将pem导入到证书存储中,但我没有创建包含私钥文件的pfx 见此帖- 这样做之后,我确实从服务器得到了更多的响应,但仍然得到了Http 403,而潜在的错误是 无法确定帧大小或接收到损坏的帧
根据这篇文章,这可能是一个持续的问题。证书验证是通过执行虚拟http连接来完成的,因此必须完成连接。使用TLS进行连接。Jume中的Micrsoft推出了一个安全更新,该更新禁用了服务器上的TLS 1.0/1.1,但对客户端没有做任何操作。客户端选择TLS版本作为请求的一部分。因此,一种可能是TLS版本错误。在验证之前,我将添加以下内容:ServicePointManager.SecurityProtocol=SecurityProtocolType.Tls12;Thx。。。啊。我了解到.NET内核作为SslProtocols添加到HttpClientHandler中。不是这样吗?尽管如此,我已经尝试删除tls1和1.1的引用,并得到相同的行为。不过,Thx.TLS也是一种SSL协议。SSL是TLS的旧版本,不再被广泛使用。但是参数仍然称为SSL。是否将TLS版本指定为1.2?如果不是,则使用默认版本,该版本可能仍然是1.0或1.1。证书还必须是TLS版本支持的加密模式(请参阅Wiki:)。服务器可能需要TLS 1.3,因此您可能需要1.2或1.3:SecurityProtocolType.Tls12 | SecurityProtocolType.tls13我不相信第二个链接。TLS在操作系统中处理,并与python(和fiddler)一起使用。因此TLS1.3正在运行。您不能在Net中为TLS 1.3创建证书,但可以连接到Net。你为什么要使用回调?服务器发送证书名称列表。如果您只接受服务器发送的内容,一切都应该正常。仅当您希望使用特定证书而不是服务器接受的所有证书时,才需要回调。您正在服务器和客户端中安装相同的证书吗?请再次安装thx vm。通过回调,我只是返回true。我认为python有自己的tls1.3实现。Python服务器将不同的证书引用到我在存储中安装并在客户端代码中使用的证书。这
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256