使用 wireshark 对 .NET 4.7.2 / 4.8 中的 TLS1.2 进行故障排除
Troubleshoot TLS1.2 in .NET 4.7.2 / 4.8 with wireshark
我们在开发 PC (win10) 上运行良好的 .NET 应用程序有问题
但是当部署到“Windows server 2016”生产环境时,它报告:
System.Net.WebException: The request was aborted: Could not create
SSL/TLS secure channel.
开发环境和生产环境中的 wireshark 差异
在 Dev (Win10) 上,“Server Key Exchange”数据包后有“Certificate,Client Key Exchange”
在 Prod (srv 2016) 上,在“服务器密钥交换”之后有“TCP 虚假重传”,如屏幕截图所示
尝试使用 .NET 4.7.2 和 4.8 同样的错误,如何进行?
使用 PFX 证书时生产服务器似乎出现问题
Dim request As HttpWebRequest = CType(WebRequest.Create("https://obt2b1.service.com/cords/api/"), HttpWebRequest)
request.Method = WebRequestMethods.Http.Post
request.Accept = "application/xml"
request.ContentType = "application/xml"
'Use x509 PFX
request.ClientCertificates.Add(getCert())
request.KeepAlive = True
request.CachePolicy = New System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.NoCacheNoStore)
request.Timeout = 1000000
request.AllowAutoRedirect = True
Dim dataStream As Byte() = Encoding.UTF8.GetBytes(xml_send)
request.ContentLength = dataStream.Length
ServicePointManager.Expect100Continue = true
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
'Here the error "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel." is reported
Dim _stream As Stream = request.GetRequestStream()
...
Private Function getCert() As X509Certificate2
Dim collection As New X509Certificate2Collection()
collection.Import("C:\pfx\test.pfx", "xxx", X509KeyStorageFlags.PersistKeySet Or X509KeyStorageFlags.UserKeySet Or X509KeyStorageFlags.MachineKeySet Or X509KeyStorageFlags.Exportable)
Return collection(0)
End Function
已编辑 ... SecurityProtocol 向上移动了同样的东西
ServicePointManager.Expect100Continue = true
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
Dim request As HttpWebRequest = CType(WebRequest.Create("https://obt2b1.service.com/cords/api/"), HttpWebRequest)
request.Method = WebRequestMethods.Http.Post
request.Accept = "application/xml"
request.ContentType = "application/xml"
'Use x509 PFX
request.ClientCertificates.Add(getCert())
request.KeepAlive = True
request.CachePolicy = New System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.NoCacheNoStore)
request.Timeout = 1000000
request.AllowAutoRedirect = True
Dim dataStream As Byte() = Encoding.UTF8.GetBytes(xml_send)
request.ContentLength = dataStream.Length
'GetRequestStream() gets the error "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel." is reported
Dim _stream As Stream = request.GetRequestStream()
好的,经过将近一周的测试,我找到了解决方案。
我尝试过的事情:
- windows 服务器 2012R2(工作没问题)
- windows 服务器 2016(不工作)
- windows 服务器 2019(不工作)
我尝试在 IIS Cryto 3.2 中启用所有密码和所有设置 - 没有帮助。
问题出在 IIS 的工作进程中,您需要将“加载用户配置文件”启用为 True
IIS -> 应用程序池 ->(选择池) -> 高级设置 ...
将“加载用户配置文件”从 false 更改为 true ...
之后我开始 IIS Crypto 3.2 像以前一样将所有设置设置为限制
我们在开发 PC (win10) 上运行良好的 .NET 应用程序有问题 但是当部署到“Windows server 2016”生产环境时,它报告:
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
开发环境和生产环境中的 wireshark 差异
在 Dev (Win10) 上,“Server Key Exchange”数据包后有“Certificate,Client Key Exchange”
在 Prod (srv 2016) 上,在“服务器密钥交换”之后有“TCP 虚假重传”,如屏幕截图所示
尝试使用 .NET 4.7.2 和 4.8 同样的错误,如何进行? 使用 PFX 证书时生产服务器似乎出现问题
Dim request As HttpWebRequest = CType(WebRequest.Create("https://obt2b1.service.com/cords/api/"), HttpWebRequest)
request.Method = WebRequestMethods.Http.Post
request.Accept = "application/xml"
request.ContentType = "application/xml"
'Use x509 PFX
request.ClientCertificates.Add(getCert())
request.KeepAlive = True
request.CachePolicy = New System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.NoCacheNoStore)
request.Timeout = 1000000
request.AllowAutoRedirect = True
Dim dataStream As Byte() = Encoding.UTF8.GetBytes(xml_send)
request.ContentLength = dataStream.Length
ServicePointManager.Expect100Continue = true
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
'Here the error "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel." is reported
Dim _stream As Stream = request.GetRequestStream()
...
Private Function getCert() As X509Certificate2
Dim collection As New X509Certificate2Collection()
collection.Import("C:\pfx\test.pfx", "xxx", X509KeyStorageFlags.PersistKeySet Or X509KeyStorageFlags.UserKeySet Or X509KeyStorageFlags.MachineKeySet Or X509KeyStorageFlags.Exportable)
Return collection(0)
End Function
已编辑 ... SecurityProtocol 向上移动了同样的东西
ServicePointManager.Expect100Continue = true
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
Dim request As HttpWebRequest = CType(WebRequest.Create("https://obt2b1.service.com/cords/api/"), HttpWebRequest)
request.Method = WebRequestMethods.Http.Post
request.Accept = "application/xml"
request.ContentType = "application/xml"
'Use x509 PFX
request.ClientCertificates.Add(getCert())
request.KeepAlive = True
request.CachePolicy = New System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.NoCacheNoStore)
request.Timeout = 1000000
request.AllowAutoRedirect = True
Dim dataStream As Byte() = Encoding.UTF8.GetBytes(xml_send)
request.ContentLength = dataStream.Length
'GetRequestStream() gets the error "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel." is reported
Dim _stream As Stream = request.GetRequestStream()
好的,经过将近一周的测试,我找到了解决方案。 我尝试过的事情:
- windows 服务器 2012R2(工作没问题)
- windows 服务器 2016(不工作)
- windows 服务器 2019(不工作)
我尝试在 IIS Cryto 3.2 中启用所有密码和所有设置 - 没有帮助。 问题出在 IIS 的工作进程中,您需要将“加载用户配置文件”启用为 True
IIS -> 应用程序池 ->(选择池) -> 高级设置 ... 将“加载用户配置文件”从 false 更改为 true ...
之后我开始 IIS Crypto 3.2 像以前一样将所有设置设置为限制