Windows 10的SChannel问题 [英] SChannel issue with Windows 10
问题描述
我有一个使用System.Net.Security.SslStream类建立与服务器的安全连接的应用程序.在Windows 7和Windows 8/8.1上,这可以正常工作.在Windows 10上,对SslStream.AuthenticateAsClient的调用引发异常-"AuthenticationException:对SSPI的调用失败,请参阅内部异常".内部异常是"Win32Exception:无法联系本地安全机构".这并非特定于一台Windows 10计算机.
I have an application that uses the System.Net.Security.SslStream class to make a secure connection to a server. On Windows 7 and Windows 8/8.1, this works fine. On Windows 10, the call to SslStream.AuthenticateAsClient throws an exception - "AuthenticationException: A call to SSPI failed, see inner exception". The inner exception is "Win32Exception: The Local Security Authority cannot be contacted". This is not specific to one Windows 10 machine.
我认为这可能与服务器证书的公钥长度为512位有关,因此我使用512位公钥创建了自己的自签名证书,并在其上测试了SslStream.AuthenticateAsClient.Windows 10计算机.这很好.
I thought that it might have something to do with the length of the public key for the server certificate being 512 bits, so I created my own self-signed certificate with a 512 bit public key and tested SslStream.AuthenticateAsClient with it on the Windows 10 machine. This worked fine.
我试图找出Windows 10中的哪些更改导致此功能不再起作用.查看System.Net生成的日志和Wireshark的捕获,我看到客户端收到SERVER HELLO,CERTIFICATE和SERVER DONE消息,然后客户端关闭了连接.在系统事件日志中,SChannel记录了一个错误-致命警报已生成并发送到远程端点.这可能导致连接终止.TLS协议定义的致命错误代码为40.Windows SChannel错误状态是813."显然TLS错误代码40是握手失败,但我无法找到有关SChannel错误状态813的任何信息.
I am trying to figure out what changed in Windows 10 that is causing this to no longer work. Looking at the log generated by System.Net and a capture from Wireshark, I see that the client receives the SERVER HELLO, CERTIFICATE, and SERVER DONE messages, and then the client closes the connection. In the System event log, there is an error logged by SChannel - "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 813." Apparently TLS error code 40 is a handshake failure, but I have not been able to find anything about SChannel error state 813.
通过查看Wireshark中的SSL握手,我发现正在使用TLS_RSA_WITH_3DES_EDE_CBC_SHA密码套件.连接到我创建的测试服务器(可使用512位公共密钥证书)时,将使用TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA密码套件.在Windows 10上使用TLS_RSA_WITH_3DES_EDE_CBC_SHA是否存在问题?
By looking at the SSL handshake in Wireshark, I have found that the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite is being used. When I connected to the test server that I created (which works with a 512 bit public key certificate), the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA cipher suite is used. Is there an issue with using TLS_RSA_WITH_3DES_EDE_CBC_SHA on Windows 10?
推荐答案
.Net SSL客户端应用程序存在类似的问题,该应用程序使用TLS1.0和TLS1.2连接到多个服务器.
We had similar issues with our .Net SSL client application which is connected to multiple servers using TLS1.0 and TLS1.2.
问题是Windows SChannel中的TLS1.2不支持某些弱密码套件,但是对于使用TLS1.0的连接,允许使用这些密码套件.
The problem is that TLS1.2 in Windows SChannel doesn't support some weak Cipher Suites, however for connections using TLS1.0 these Cipher Suites are allowed.
.Net 4.6.1更改了Windows系统的行为;在此版本之前,首选协议是TLS1.0,在更新到版本> = 4.6.1之后,所有.Net客户端都会自动设置为TLS 1.2 .另外,某些KB安全更新可能会影响行为.
The behaviour of Windows system changed with .Net 4.6.1; before this version preferred protocol was TLS1.0, after update to version >=4.6.1 all .Net clients are automatically set to TLS 1.2. Also some KB security updates may affect the behaviour.
第一种方法是将应用程序修改为严格使用TLS1.0(从安全性角度来看这是不正确的):
The first way is to modify the application to use strictly TLS1.0 (which is not correct from security view):
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
第二种方法是使用免费工具IISCrypto ,该工具可以帮助您禁用/启用协议和密码套件: https://www.nartac.com/Products/IISCrypto IISCrypto-Ciphers-Selection
Second way is to use free tool IISCrypto which can help you to disable/enable your protocols and cipher suites: https://www.nartac.com/Products/IISCrypto IISCrypto-Ciphers-Selection
请注意,设置存储在Windows注册表中,并且对于所有协议都是通用的,您可能需要玩"配置以找到最适合您正在使用的所有连接的设置.
Note, the settings is stored in Windows Registry and is common for all protocols, you may need to "play" with configurations to find the one which fits best for all connections you're using.
这篇关于Windows 10的SChannel问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
