如何添加到ASP.NET HttpRequest客户端可用的密码套件？ [英] How to add to the cipher suites available to ASP.NET HttpRequest client?

问题描述

当我的ASP.NET网站在Windows 7框上运行时，它可以在另一台Windows 7机器上连接（以编程方式显示为客户端）到SSL加密服务（服务器）。

When my ASP.NET website is running on a windows 7 box, it can connect (programmatically as a "client") to an SSL-encrypted service ("server") on another windows 7 machine just fine.

但是如果我的网站在生产箱（Windows Server 2003）上，则服务的Windows日志显示：

But if my website is on the production box (windows server 2003), the service's windows log shows:

从远程客户端应用程序接收到TLS 1.0连接请求，但服务器不支持客户端应用程序支持的任何密码套件。 SSL连接请求失败。

（服务使用由makecert.exe创建的自签名证书，但我看不到如何使makecert允许更多的密码套件...或者我在2003年的盒子上安装什么？？这是： https://serverfault.com/questions / 166750 对我而言不起作用，因为我没有使用CSR）

(service is using a self-signed cert created by makecert.exe, but I can't see how to make makecert allow more cipher suites... or do I install something on the 2003 boxes...? This: https://serverfault.com/questions/166750 doesn't work for me because I am not using a CSR)

推荐答案

解决方案是生成我的证书再次，这次强制RSA和SHA1（尽管SHA1应该是默认的）。由于某些原因，Win Server 2k3无法或不会使用具有默认makecert证书的正确密码。这是为我工作的命令行：

The solution was to generate my certificate again, this time forcing RSA and SHA1 (though SHA1 should be the default anyway). For some reason Win Server 2k3 couldn't or wouldn't use the right ciphers with a default makecert certificate. Here is the command line that worked for me:

makecert -pe -r -ss my -sr localMachine -n​​CN = domainnameoripaddressgoeshere.com-e 01/01/2098 -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -spMicrosoft RSA SChannel加密提供程序-sy 12

有关详情，请参阅 http://mgowen.com/2013/06/ 19 / cipher-suites-issue / 和 http://msdn.microsoft.com/en-us/library/bfsktky3（v = vs.110）.aspx 。

如果有人发现这个 想要知道密码套件，但是我发现一些可能会帮助你的东西：

If anyone finding this does want to know about cipher suites though, here's some stuff I found along the way that may help you:

• 您可以使用此修补程序将两个RSA密码套件添加到Windows Server 2003： http://support.microsoft。 com / kb / 948963


• 你可以在 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers 下的regedit（Windows注册表编辑器）中查看哪些密码支持
  
• 您可以使用IIS Crypto（免费加密配置应用程序， https://www.nartac.com/Products / IISCrypto / ）来查看和启用/禁用密码（包括上面的修补程序密码）。

• You can add two RSA cipher suites to windows server 2003 using this hotfix: http://support.microsoft.com/kb/948963
• You can see which ciphers are supported in regedit (windows registry editor) under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
• You can use IIS Crypto (a free cipher config app, https://www.nartac.com/Products/IISCrypto/) to view and enable/disable ciphers (including those hotfix ciphers above).

这篇关于如何添加到ASP.NET HttpRequest客户端可用的密码套件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！