.NET SNI支持 [英] .NET SNI support

问题描述

我有一个Web服务(asmx)API，由我管理的另一位开发人员在.NET 3.5中编写.我们最近从Server 2008R2迁移到Server 2012R2，我决定使用SNI代替每个证书的IP.

I have a Web Service (asmx) API that was written in .NET 3.5 by another developer that I manage. We recently moved from Server 2008R2 to Server 2012R2 and I decided to use SNI instead of having an IP for each certificate.

事实证明，切换到SNI后，我们的API用户之一不再能够连接到我们的API.我发现他们使用的是Server 2003，我认为这是它不再起作用的原因.我继续为该站点分配了一个公共IP，该IP可以解决此问题.当然，他们将其完全归咎于.NET框架.

Well it turns out that one of our API users was no longer able to connect to our API after the switch to SNI. I found out that they use Server 2003 which I figured was the reason for it no longer working. I went ahead and assigned the site a public ip which fixed the problem. Of course they are blaming it entirely on the .NET framework.

他们的证明是这个链接: https://connect.microsoft.com/VisualStudio/feedback/details/729925/net-4-4-5-sslstream-no-supports-the-tls-server-name-indication-sni

Their proof was this link: https://connect.microsoft.com/VisualStudio/feedback/details/729925/net-4-4-5-sslstream-no-supports-the-tls-server-name-indication-sni

我有一个测试项目设置，可以连接到我们的API并运行各种测试，并且在转换后可以正常工作.

I have a test project setup that connects to our API and runs various tests and it works fine after the conversion.

有人能对此有所启发吗? SoapHttpClientProtocol是否使用sslstream?

Can anyone shed some light on this? Does the SoapHttpClientProtocol use sslstream?

推荐答案

.NET Framework本身如果依赖于Schannel，则可能无法解决该问题.自 Windows 8/Windows Server 2012 )

.NET Framework itself might not be able to solve the issue if it depends on Schannel. Schannel only starts to support SNI since Windows Vista/Windows Server 2008 (or from another source Windows 8/Windows Server 2012)

好吧，根据第一个链接，SslStream确实取决于Schannel.我刚刚在Windows 7/.NET 4和Windows 8.1/.NET 4.5.1上完成了一个测试案例，并且可以看到客户端应用程序利用了SslStream SNI可以正常工作.因此，我认为您粘贴的Microsoft Connect链接根本不是有效的链接. SNI在Windows XP和Windows Server 2003上可能会失败，但在Windows Vista及更高版本上应该可以使用.

Well, according to first link, SslStream indeed depends on Schannel. I just finished a test case on both Windows 7/.NET 4 and Windows 8.1/.NET 4.5.1 and I can see for a client side application utilizes SslStream SNI works as expected. So I don't think the Microsoft Connect link you pasted is a valid one at all. SNI might fail on Windows XP and Windows Server 2003, but should work for Windows Vista and above.

我没有检查SoapHttpClientProtocol的源代码，但我认为Microsoft除了SslStream或Schannel之外都没有使用其他任何东西.

I did not check the source code of SoapHttpClientProtocol but I don't think Microsoft uses anything other than SslStream or Schannel.

因此，在您的情况下，建议您在服务器端回滚所做的更改，并且不要使用SNI.另一个解决方案是要求所有用户将Windows Vista及更高版本用作操作系统.请注意，Windows XP已死，Windows Server 2003即将死(明年将死，所以很快).

So in your case, I suggest you roll back your changes at server side and don't use SNI yet. Another solution is to ask all your users to use Windows Vista and above as OS. Note that Windows XP is dead, and Windows Server 2003 is dying (will be dead next year, so pretty soon).

这篇关于.NET SNI支持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！