将密码套件添加到 dotnetcore 3.1 的 HttpClient 的 TLS1.2 [英] Adding Cipher suite to TLS1.2 of HttpClient of dotnetcore 3.1
问题描述
我在连接西数网站时遇到以下异常:
由
Firefox 成功连接到网站,Wireshark 发现 Firefox 在列表中有 1 个密码:
然而,我的 dotnet 核心应用程序在 ssl 握手中有一个致命的问题,因为它没有一个与 WD 通用的密码:
我花了很多时间才明白错误来自这里......如果它真的来自这里.
因此 2 个问题来自此分析:
是否可以在我的 dot net core 3.1 应用程序中添加一个密码套件,用 C# 编写以符合本网站的要求?我看到互联网上的讨论规定,也许美国公司微软不允许出口强加密算法......如果这是真的,那么 firefox(美国也是)使用与西方数字(美国也是)相同的套件呢?
是否有可能在 C# 中使用另一个库(我考虑开放 SSl)但另一个库确实提供了 https 的所有层(即建议等效于 httpClient)/跨平台如何避免失去跨平台dotnetcore 的特性......
备注:即使是 Fiddler 也有这个问题!这是可以理解的,因为它也依赖于.net框架技术:
- 为了回答@Steffen Ullrich 的评论,我在 Win7 上运行这些东西:
.NET Core 使用原生 TLS 堆栈支持的密码,即 SChannel.支持哪些密码取决于 Windows 的版本.您的操作系统支持哪些密码(记录在 Windows 7 中的 TLS 密码套件.如您所见,您的操作系统不支持服务器提供的任何密码.
使用 Firefox 或 Chrome 浏览器,情况就不同了.它们带有自己的堆栈,因此不受操作系统提供的限制.这就是它们起作用的原因.
I encounter the folowing exception when connecting to the website of Western digital:
22:02:34,803 | HttpGrabber | DEBUG | Grabbing: GET https://shop.westerndigital.com/de-de/products/internal-drives/wd-red-sata-2-5-ssd#WDS200T1R0A
22:02:34,858 | HttpGrabber | DEBUG | System.Net.Http.SocketsHttpHandler.Http2Support: True
22:02:34,865 | HttpGrabber | DEBUG | System.Net.Http.UseSocketsHttpHandler: True
22:02:35,067 | HttpGrabber | ERROR | System.AggregateException: One or more errors occurred. (The SSL connection could not be established, see inner exception.)
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x80090326): Le message reçu était inattendu ou formaté de façon incorrecte.
--- End of inner exception stack trace ---
I think that the C# code is correct as I have 3/4 Unit test Passing:
[TestCase("https://allianz-fonds.webfg.net/sheet/fund/FR0013192572/730?date_entree=2018-04-04")]
[TestCase("https://www.galaxus.de/de/s1/product/zotac-zbox-magnus-en72070v-intel-core-i7-9750h-0gb-pc-13590721")]
[TestCase("https://www.hystou.com/Gaming-Mini-PC-F7-with-Nvidia-GeForce-GTX-1650-p177717.html")]
[TestCase("https://shop.westerndigital.com/de-de/products/internal-drives/wd-red-sata-2-5-ssd#WDS200T1R0A")]
The SSL diagnostic done by ssllabs gives a list of supported cipher suites handled by the website of Western digital:
Firefox connects succesfully to the website, and Wireshark spots that firefox has 1 cipher in the list:
However my dotnet core application has a fatal in the ssl handshake because it has not a single cipher common with WD :
I took a lot of time to understand that the error comes from here.... if it really comes from here.
Hence 2 questions comes from this analysis:
Is it possible to add a cipher suite in my dot net core 3.1 application , written in C# to be compliant with this website ? I have seen discussion on internet stipulating that maybe the Us company which is Microsoft is not allowed to export strong cryptographic algorithms... if this is true, what about firefox (Usa too) using the same suite as Western digital (Usa too).
Is there a possibility to use in C# another library ( I think about open SSl) but the other library does provide all layers of https (ie propose equivalent of httpClient) / what about crossplatform to avoid loosing the cross platform feature of dotnetcore ....
Remark: Even Fiddler has this problem ! Which is understandable as it is also relying on the dot net framework technology:
- To answer comment of @Steffen Ullrich I run this stuff on Win7:
.NET Core uses the ciphers supported by the native TLS stack, i.e. SChannel. Which ciphers are supported depend on the version of Windows. Which ciphers are supported by your OS (is documented in TLS Cipher Suites in Windows 7. As you can see, none of the ciphers offered by the server are supported by your OS.
With Firefox or Chrome browser the situation is different. These come with their own stack and are thus not limited on what the OS offers. That's why they work.
这篇关于将密码套件添加到 dotnetcore 3.1 的 HttpClient 的 TLS1.2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
