HttpWebRequest::GetResponse - 请求被中止:无法创建 SSL/TLS 安全通道

HttpWebRequest::GetResponse - The request was aborted: Could not create SSL/TLS secure channel

请阅读以下全文。我尝试了这个问题的所有常用解决方案。

所以,我的 .Net 4.5 应用 运行 已经成功地从 url 获取数据很长一段时间了。但它突然开始失败并出现上述错误:

HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

这是我能够重现错误的示例 C# 代码:

    ServicePointManager.Expect100Continue = true;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
    ServicePointManager.DefaultConnectionLimit = 9999;

    ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
    {
        return (true);
    };

    var authHeaderValue = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(string.Format("{0}:{1}", "username", "password")));

    var request = (HttpWebRequest) HttpWebRequest.Create("url-here");
    request.Method = "GET";
    request.Headers.Add("Authorization: Basic " + authHeaderValue);

    using (HttpWebResponse response = (HttpWebResponse) request.GetResponse())
    {
        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        var s = reader.ReadToEnd();
        reader.Close();
        dataStream.Close();

        Console.WriteLine(s);
    }

如您所见,上面已经尝试了在ServicePointManager上设置值/忽略证书错误的所有常用解决方案。 我仍然收到错误,甚至没有命中 ServerCertificateValidationCallback。

我使用 Fiddler 并启用了 HTTPS 解密,但 Fiddler 给了我这个错误:

System.Security.Authentication.AuthenticationException : A call to SSPI failed, see inner exception. ----> System.ComponentModel.Win32Exception : The message received was unexpected or badly formatted

我去了跟踪 (),这里是跟踪文件输出:

System.Net Information: 0 : [13160] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [13160] WebRequest::Create(url-here)
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::HttpWebRequest(url-here)
System.Net Information: 0 : [13160] RAS supported: True
System.Net Verbose: 0 : [13160] Exiting HttpWebRequest#687191::HttpWebRequest() 
System.Net Verbose: 0 : [13160] Exiting WebRequest::Create()    -> HttpWebRequest#687191
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::GetResponse()
System.Net Verbose: 0 : [13160] ServicePoint#49385318::ServicePoint(domain-here:443)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ServicePoint#49385318
System.Net Information: 0 : [13160] Associating Connection#7746814 with HttpWebRequest#687191
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Socket(AddressFamily#2)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Socket() 
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Socket(AddressFamily#23)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Socket() 
System.Net.Sockets Verbose: 0 : [13160] DNS::TryInternalResolve(domain-here)
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Connect(server-ip-here:443#1466373584)
System.Net.Sockets Information: 0 : [13160] Socket#13062350 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Connect() 
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Close()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Dispose()
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Close() 
System.Net Information: 0 : [13160] Connection#7746814 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net Information: 0 : [13160] TlsStream#10366524::.ctor(host=domain-here, #certs=0)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ConnectStream#63840421
System.Net Information: 0 : [13160] HttpWebRequest#687191 - Request: GET relative-url-here HTTP/1.1

System.Net Information: 0 : [13160] ConnectStream#63840421 - Sending headers
{
Authorization: Basic credentials-here
Host: domain-here
Connection: Keep-Alive
}.
System.Net Information: 0 : [13160] SecureChannel#54246671::.ctor(hostname=domain-here, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [13160] Enumerating security packages:
System.Net Information: 0 : [13160]     Negotiate
System.Net Information: 0 : [13160]     NegoExtender
System.Net Information: 0 : [13160]     Kerberos
System.Net Information: 0 : [13160]     NTLM
System.Net Information: 0 : [13160]     Schannel
System.Net Information: 0 : [13160]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [13160]     WDigest
System.Net Information: 0 : [13160]     TSSSP
System.Net Information: 0 : [13160]     pku2u
System.Net Information: 0 : [13160]     CREDSSP
System.Net Information: 0 : [13160] SecureChannel#54246671 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [13160] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=184, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Send()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Send
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 16 03 03 00 B3 01 00 00-AF 03 03 5E D9 42 A7 54 : ...........^.B.T
System.Net.Sockets Verbose: 0 : [13160] 00000010 : CD 34 00 7C 31 C9 2F 75-E7 DE A6 9E E8 D7 B5 74 : .4.|1./u.......t
System.Net.Sockets Verbose: 0 : [13160] 00000020 : 3C CB 7E B3 84 D8 1A 22-69 79 B3 00 00 38 C0 28 : <.~...."iy...8.(
System.Net.Sockets Verbose: 0 : [13160] 00000030 : C0 27 C0 14 C0 13 00 9F-00 9E 00 39 00 33 00 9D : .'.........9.3..
System.Net.Sockets Verbose: 0 : [13160] 00000040 : 00 9C 00 3D 00 3C 00 35-00 2F C0 2C C0 2B C0 24 : ...=.<.5./.,.+.$
System.Net.Sockets Verbose: 0 : [13160] 00000050 : C0 23 C0 0A C0 09 00 6A-00 40 00 38 00 32 00 0A : .#.....j.@.8.2..
System.Net.Sockets Verbose: 0 : [13160] 00000060 : 00 13 00 05 00 04 01 00-00 4E 00 00 00 19 00 17 : .........N......
System.Net.Sockets Verbose: 0 : [13160] 00000070 : 00 00 14 61 6D 61 74 72-61 76 65 6C 2E 74 73 74 : ...domain-here
System.Net.Sockets Verbose: 0 : [13160] 00000080 : 6C 6C 63 2E 6E 65 74 00-0A 00 06 00 04 00 17 00 : domain-here.........
System.Net.Sockets Verbose: 0 : [13160] 00000090 : 18 00 0B 00 02 01 00 00-0D 00 14 00 12 06 01 06 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000A0 : 03 04 01 05 01 02 01 04-03 05 03 02 03 02 02 00 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000B0 : 17 00 00 FF 01 00 01 00-                        : ........
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Send()     -> Int32#184
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 15 03 03 00 02                                  : .....
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000005 : 02 28                                           : .(
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#2
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 51ccc0:5827200, targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Dispose()
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

我在上面的跟踪中替换了我的服务器和客户端敏感信息(任何以 -here 结尾的信息)但其他跟踪信息完好无损。

我仍然无法弄清楚 Trace 中有什么问题以及为什么这个 url(使用 HTTPS)无法使用我的 .Net 代码打开。

有人可以帮我解决这个问题吗?

调试信息包含客户端在TLS握手中发送的ClientHello。基于此,服务器 amatravel.tstllc.net according to SSLLabs 支持以下极少数密码:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)         ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)         ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 256

所有这些密码都以TLS_ECDHE_RSA_开头,即带有ECDHE密钥交换的RSA证书。但是解码您的 ClientHello 显示客户端仅宣布支持以下密码:

        Cipher Suites (28 suites)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

快速查看将看到以 TLS_ECDHE_RSA_ 开头的 4 个密码中的 none 与服务器支持的密码相匹配。因此,由于没有共享密码,握手将失败。

But it suddenly started failing ...

假设没有对您的应用程序进行任何更改,很可能对服务器进行了更改。服务器支持的密码集非常小,所以可能有人试图加固服务器,却不知道某些客户端不支持这些少数密码中的任何一个。

但是你的客户端支持的密码集也很奇怪。虽然您支持 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,但您不支持 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,即相同的密码,但使用 RSA 证书而不是 ECC 证书。并且服务器实际上已经支持后一种密码。