问题:
系统网WebRequest和TLS 1.2使用haproxy创建了“握手失败”
乐成济
我无法使用系统。网WebRequest用于TLS 1.2的请求。如果我这样做,我会得到一个异常请求被中止:无法创建SSL/TLS安全通道和协议错误握手失败。
通过TLS 1.2连接和身份验证正在使用Internet Explorer和Chrome。OpenSSL可以通过TLS 1.2连接到此Enpoint。
- 使用客户端证书进行身份验证
- 使用非默认端口
- 使用TLS 1.2
- endpoint是一个半代理,但这是一个黑盒
- . NET 4.7和C#
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var req = WebRequest.Create($"https://{host}:{port}");
((HttpWebRequest)req).ClientCertificates = new X509Certificate2Collection(GetCertificate());
var requestStream = req.GetRequestStream();
方法GetCertificate()返回一个带有私钥的证书,该证书嵌入在该软件中。
wireshark按发生顺序输出的文本。
客户你好
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 207
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 203
Version: TLS 1.2 (0x0303)
Random: 5a292ab72d2173fc286aebe2c4cc991ee619e1cc81b5bb39...
Session ID Length: 0
Cipher Suites Length: 60
Cipher Suites (30 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 102
Extension: server_name (len=43)
Type: server_name (0)
Length: 43
Server Name Indication extension
Server Name list length: 41
Server Name Type: host_name (0)
Server Name length: 38
Server Name: [REMOVED]
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
Extension: signature_algorithms (len=20)
Type: signature_algorithms (13)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
服务器名称:[已删除]包含正确的服务器名称。
服务器你好
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 65
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 61
Version: TLS 1.2 (0x0303)
Random: 5a292ab7238205b2b8a2e6692abfd518a054515e53cd5b16...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Compression Method: null (0)
Extensions Length: 21
Extension: server_name (len=0)
Type: server_name (0)
Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
证明书
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 3855
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 3851
Certificates Length: 3848
Certificates (3848 bytes)
服务器你好完成
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 589
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 585
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: ...
Signature Hash Algorithm: 0x0401
Signature Length: 512
Signature: ...
多次握手信息
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 77
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 3
Certificates Length: 0
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: ...
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
握手失败
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
谢谢@user3484348我现在有更多的信息。
TLS 1.2(不工作):
System.Net Information: 0 : [11752] InitializeSecurityContext(
credential = System.Net.SafeFreeCredential_SECURITY,
context = 1054ea8:6091710,
targetName = api.company.com,
inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [11752] InitializeSecurityContext(
In-Buffers count=2,
Out-Buffer length=0,
returned code=IllegalMessage)
TLS 1.0(工作):
System.Net Information: 0 : [11752] InitializeSecurityContext(
credential = System.Net.SafeFreeCredential_SECURITY,
context = 12a5eb0:641d900,
targetName = api.company.com,
inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [11752] InitializeSecurityContext(
In-Buffers count=2,
Out-Buffer length=0,
returned code=ContinueNeeded)
TLS 1.2中返回的代码是非法消息,而TLS 1.0中返回的代码是连续编码。
共有1个答案
郎祯
GetCertificate()可能会返回一个不是来自Windows证书存储库的证书。如果你打开应用程序的系统。Net调试信息,添加
<system.diagnostics>
<sources>
<source name="System.Net">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Cache">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Http">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Sockets">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.WebSockets">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
</sources>
<switches>
<add name="System.Net" value="Verbose"/>
<add name="System.Net.Cache" value="Verbose"/>
<add name="System.Net.Http" value="Verbose"/>
<add name="System.Net.Sockets" value="Verbose"/>
<add name="System.Net.WebSockets" value="Verbose"/>
</switches>
<sharedListeners>
<add name="System.Net"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="network.log"
/>
</sharedListeners>
<trace autoflush="true"/>
祝你好运。在配置文件中,您将看到“AcquireCredentialsHandle()失败,错误为0X8009030D。”或者类似的东西。这似乎是一个系统。如果密钥不在MachineKeys系统文件夹中,Net无法使用带有私钥的证书。
走传统的路线——将证书添加到存储库,授予对密钥文件的访问权,等等。
类似资料:
-
我正在学习SSL通信,我遇到了这个问题。我正在编写一个简单的客户端,它试图与本地apache服务器握手。服务器启用https。我将服务器证书添加到所有可能的信任存储(jdk中的一个 注意:我从以下教程中获取了代码: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KRB 停留
-
我通过受ssl v3保护的cxf使用soap服务。我从服务器下载.cer文件,并通过keytool使用以下指令创建JKS文件: 在java代码中,我将此代码用于客户端配置: 对于调用此代码的服务: 当我运行代码时,会发生此错误: 我搜索此错误,我意识到该错误是针对不良信任存储的。但我不知道如何生成正确的信任库。
-
我在使用硒测试时收到此错误 我现在的代码是 是否有其他方法可以忽略/解决此错误?
-
我正在对我们的数据库服务进行超文本传输协议请求的大循环。一切都很好,但是每当我运行它时,在成功查询(看似随机)数量后,我都会收到以下错误:
-
在数据采集一节中我们介绍了常见的监控数据源。open-falcon作为一个监控框架,可以去采集任何系统的监控指标数据,只要将监控数据组织为open-falcon规范的格式就OK了。 HAProxy的数据采集可以通过haproxymon来做。 工作原理 haproxymon是一个cron,每分钟跑一次采集脚本haproxymon.py,haproxymon通过Haproxy的stats socket
-
我正在尝试向支持TLS 1.2的服务器发帖——至少当我在浏览器中执行GET时,我可以验证通信是否使用TLS 1.2,以及证书是否由证书颁发机构验证。然而,当我试图使用AFIOS 9.0(13A4305g)/Xcode 7-beta4将代码发布到该服务器时,我的握手失败了。 失败: 我错过什么了吗?我怎样才能挖得更深?假设这是服务器的问题,而不是代码的问题——我怎么能窥探到呢?