使用 HttpClient 的 HTTPS 请求失败
HTTPS request fails using HttpClient
我正在使用以下代码并得到 HttpRequestException
异常:
using (var handler = new HttpClientHandler())
{
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate2(@"C:\certificates\cert.pfx"));
// I also tried to add another certificates that was provided to https access
// by administrators of the site, but it still doesn't work.
//handler.ClientCertificates.Add(new X509Certificate2(@"C:\certificates\cert.crt"));
//handler.ClientCertificates.Add(new X509Certificate2(@"C:\certificates\cert_ca.crt"));
using (var client = new HttpClient(handler))
{
var response = client.GetAsync("https://someurl.com/api.php?arg1=some&arg2=test").GetAwaiter().GetResult();
// ^ HttpRequestException: An error occurred while sending the request.
}
}
异常:
WinHttpException: A security error occurred
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult()
System.Net.Http.WinHttpHandler+<StartRequest>d__105.MoveNext()
HttpRequestException: An error occurred while sending the request.
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult()
System.Net.Http.HttpClient+<FinishSendAsync>d__58.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
MyApp.Web.Controllers.HomeController.Test() in HomeController.cs
var response = client.GetAsync("https://someurl.com/api.php?arg1=some&arg2=test").GetAwaiter().GetResult();
lambda_method(Closure , object , Object[] )
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+<InvokeActionMethodAsync>d__27.MoveNext()
我还尝试将相同的证书导出到 Windows 证书存储并通过 Google Chrome 使用它并且它工作正常(浏览器要求我确认安装的证书然后加载资源)。
为什么它在我的代码中不起作用?
已更新
我还尝试添加回调来验证证书:
handler.ServerCertificateCustomValidationCallback = (message, certificate2, arg3, arg4) =>
{
// I set a breakpoint to this point but it is not catched.
return true;
};
UPDATED2
证书使用 SHA-1。 support for SHA1 certs is being withdrawn 的评论中提到了 Neil Moss。
如果这是它不起作用的真正原因,是否有解决方法?
解决方案
感谢 Neil Moss 的解决方案。他提议为 SSL 协议使用 Tls 标志。
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
但它还需要以下内容:
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
我加了这个之后就正常了。
根据this SO post,您必须使用 ServicePointManager 启用 TLS1.2。
System.Net.ServicePointManager.SecurityProtocol |=
SecurityProtocolType.Tls12 |
SecurityProtocolType.Tls11 |
SecurityProtocolType.Tls; // comparable to modern browsers
同样值得注意的是,MSDN documentation for ServicePointManager.SecurityProtocols 属性 做出了这样的声明:
The .NET Framework 4.6 includes a new security feature that blocks
insecure cipher and hashing algorithms for connections.
这表明某种形式的 SHA1 块可能就位。
编辑 2020 年 9 月 16 日
我从 = 赋值运算符更改为 |= 运算符,以便对仍然需要 SSL 的任何其他遗留站点的请求将继续有效。
这是一份非常有用的文档。对于ASP.NET Core 2.0,答案应用如下(结果成功):
using (var handler = new HttpClientHandler())
{
handler.ServerCertificateCustomValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
using (HttpClient client = new HttpClient(handler))
{
string requestObjJson = requestObj.ToJson();
var address = new Uri($"https://yourcompany.com/");
string token = GetToken();
client.BaseAddress = address;
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
var contentData = new StringContent(requestObjJson, System.Text.Encoding.UTF8, "application/json");
using (var response = await client.PostAsync("yourcompany/new-employee", contentData))
{
var content = response.Content.ReadAsStringAsync();
var taskResult = content.Result;
JObject resultObj = JObject.Parse(taskResult);
return resultObj;
}
}
}
根据documentation,最好使用None。
None“允许操作系统选择要使用的最佳协议,并阻止不安全的协议。除非您的应用有特定原因不这样做,否则您应该使用此字段”
我正在使用以下代码并得到 HttpRequestException
异常:
using (var handler = new HttpClientHandler())
{
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate2(@"C:\certificates\cert.pfx"));
// I also tried to add another certificates that was provided to https access
// by administrators of the site, but it still doesn't work.
//handler.ClientCertificates.Add(new X509Certificate2(@"C:\certificates\cert.crt"));
//handler.ClientCertificates.Add(new X509Certificate2(@"C:\certificates\cert_ca.crt"));
using (var client = new HttpClient(handler))
{
var response = client.GetAsync("https://someurl.com/api.php?arg1=some&arg2=test").GetAwaiter().GetResult();
// ^ HttpRequestException: An error occurred while sending the request.
}
}
异常:
WinHttpException: A security error occurred
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult()
System.Net.Http.WinHttpHandler+<StartRequest>d__105.MoveNext()
HttpRequestException: An error occurred while sending the request.
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult()
System.Net.Http.HttpClient+<FinishSendAsync>d__58.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
MyApp.Web.Controllers.HomeController.Test() in HomeController.cs
var response = client.GetAsync("https://someurl.com/api.php?arg1=some&arg2=test").GetAwaiter().GetResult();
lambda_method(Closure , object , Object[] )
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+<InvokeActionMethodAsync>d__27.MoveNext()
我还尝试将相同的证书导出到 Windows 证书存储并通过 Google Chrome 使用它并且它工作正常(浏览器要求我确认安装的证书然后加载资源)。
为什么它在我的代码中不起作用?
已更新
我还尝试添加回调来验证证书:
handler.ServerCertificateCustomValidationCallback = (message, certificate2, arg3, arg4) =>
{
// I set a breakpoint to this point but it is not catched.
return true;
};
UPDATED2
证书使用 SHA-1。 support for SHA1 certs is being withdrawn 的评论中提到了 Neil Moss。 如果这是它不起作用的真正原因,是否有解决方法?
解决方案
感谢 Neil Moss 的解决方案。他提议为 SSL 协议使用 Tls 标志。
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
但它还需要以下内容:
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
我加了这个之后就正常了。
根据this SO post,您必须使用 ServicePointManager 启用 TLS1.2。
System.Net.ServicePointManager.SecurityProtocol |=
SecurityProtocolType.Tls12 |
SecurityProtocolType.Tls11 |
SecurityProtocolType.Tls; // comparable to modern browsers
同样值得注意的是,MSDN documentation for ServicePointManager.SecurityProtocols 属性 做出了这样的声明:
The .NET Framework 4.6 includes a new security feature that blocks insecure cipher and hashing algorithms for connections.
这表明某种形式的 SHA1 块可能就位。
编辑 2020 年 9 月 16 日
我从 = 赋值运算符更改为 |= 运算符,以便对仍然需要 SSL 的任何其他遗留站点的请求将继续有效。
这是一份非常有用的文档。对于ASP.NET Core 2.0,答案应用如下(结果成功):
using (var handler = new HttpClientHandler())
{
handler.ServerCertificateCustomValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
using (HttpClient client = new HttpClient(handler))
{
string requestObjJson = requestObj.ToJson();
var address = new Uri($"https://yourcompany.com/");
string token = GetToken();
client.BaseAddress = address;
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
var contentData = new StringContent(requestObjJson, System.Text.Encoding.UTF8, "application/json");
using (var response = await client.PostAsync("yourcompany/new-employee", contentData))
{
var content = response.Content.ReadAsStringAsync();
var taskResult = content.Result;
JObject resultObj = JObject.Parse(taskResult);
return resultObj;
}
}
}
根据documentation,最好使用None。 None“允许操作系统选择要使用的最佳协议,并阻止不安全的协议。除非您的应用有特定原因不这样做,否则您应该使用此字段”