SSL 握手在 C# 中失败,但在邮递员中有效 [英] SSL Handshake fails in C# but works in postman
问题描述
我正在尝试使用 2-way SSL 运行一个简单的控制台应用程序.我有以下 C# 代码:
I am trying run a simple console app with 2-way SSL. I have the following C# code:
var certificate = X509Certificate2.CreateFromPemFile(_publicFilename, _privateFilename);
using (var handler = new HttpClientHandler())
{
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
handler.ClientCertificates.Add(certificate);
handler.SslProtocols = SslProtocols.Tls12;
using (var client = new HttpClient(handler))
{
var postData = new StringContent("", UnicodeEncoding.UTF8, "application/json");
var response = await client.PostAsync("URL", postData);
string responseString = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseString);
}
}
这在 SSL 握手期间失败.我在事件查看器上收到以下 SChannel 错误:
This fails during SSL handshake. And I get the following SChannel error on event viewer:
创建 TLS 客户端凭据时发生致命错误.这内部错误状态为 10013.
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
我在运行 C# 控制台应用程序时在 Wireshark 中发现以下内容:
I found the following in wireshark when I run the C# console app:
但是,如果我在邮递员上使用相同的证书,它就可以正常工作.请参阅以下邮递员请求的wireshark屏幕截图:
However if I use the same certificates on postman, it works fine. Refer wireshark screenshot for postman request below:
关于检查Certificate Request, Server Hello Done"的签名算法.我得到以下信息:
On checking the signature algorithms of "Certificate Request, Server Hello Done". I get the following:
我不太了解 SSL/密码学等.但根据这篇文章:"https://github.com/dotnet/运行时/问题/33708#issuecomment-600650819"我的 C# 应用程序无法协商密码套件吗?SChannel 不支持上面截图中提到的密码套件吗?我完全迷失在这里.由于 SSL 握手失败,无法获得简单的 HTTP 调用.
I do not understand SSL/cryptography etc that well. But as per this post : "https://github.com/dotnet/runtime/issues/33708#issuecomment-600650819" is my C# app unable to negotiate a cipher suite? Are the cipher suites mentioned in the above screenshot not supported by SChannel? I am completely lost here. Cant get a simple HTTP call due to SSL handshake fail.
框架:.Net5.0操作系统:Windows 10 Home(内部版本:19042.985)
Framework : .Net5.0 Operating System: Windows 10 Home (Build: 19042.985)
请帮忙.
推荐答案
我的 C# 应用程序是否无法协商密码套件?
is my C# app unable to negotiate a cipher suite?
客户端不协商密码套件.它只提供密码,服务器选择它支持的密码.由于服务器在 ClientHello 之后继续握手,并且由于客户端是关闭连接的人,因此不是密码问题.
The client does not negotiate a cipher suite. It just offers ciphers and the server picks one it supports. Since the server is continuing with the handshake after the ClientHello and since the client is the one closing the connection it is not a cipher problem.
虽然来自客户端的警报协议版本令人困惑,但在我看来,服务器请求了一个客户端证书(握手中的 CertificateRequest),但由于某些未知原因,客户端无法提供一个证书(无配置?),从而关闭连接.邮递员转而将客户证书发回.
While the alert protocol version from the client is confusing, it looks to me that the server requests a client certificate (CertificateRequest in the handshake) but the client cannot offer one for some unknown reason (none configured?) and thus closes the connection. Postman instead sees to send a client certificate back.
但这主要是基于 Wireshark 的删节截图的推测.当获得实际的数据包捕获时,人们可能能够提供更多信息,即完整数据而不仅仅是屏幕截图.
But this is mostly speculation based on redacted screenshots from Wireshark. One might be able to give more information when having the actual packet captures, i.e. the full data and not just screenshots.
这篇关于SSL 握手在 C# 中失败,但在邮递员中有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
