由于ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY,ASP.NET Core 3.0应用程序无法在Windows Server 2012 R2上运行 [英] ASP.NET Core 3.0 app not working on Windows Server 2012 R2 due to ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
问题描述
我使用了一个正常工作的ASP.NET Core 2.2应用程序,将其升级到3.0,突然该应用程序不再在Windows Server 2012中运行.它包含以下内容:
I took a working ASP.NET Core 2.2 app, upgraded it to 3.0 and suddenly the app no longer works in Windows Server 2012. It comes up with the following:
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
Chrome:
Firefox:
在我不得不选择加入HTTP/2之前,现在似乎是默认值以及HTTP1.1.这里有一个 https://github.com/aspnet/AspNetCore/issues/14350 的帖子,但没有真正的解决方案,这完全令人困惑.
It seems that before I had to opt into HTTP/2 and now its the default along with HTTP1.1. There is a post here https://github.com/aspnet/AspNetCore/issues/14350 but that is totally confusing with no real solution.
I have tried all sorts of enabling / disabling insecure protocols but to no avail. Such as https://www.admin-enclave.com/de/articles-by-year/11-data-articles/website_articles/articles/exchange_articles/405-resolved-error-err_spdy_inadequate_transport_security-when-using-google-chome-and-owa.html
由于我认为更好的协议套件,因此在Windows 10上运行良好.但是在Fiddler中,我检查了一下,与Kestrel进行谈判的唯一区别是:
Works fine on Windows 10 due to what I assume more better protocol suite. But in Fiddler I checked and the only difference when negotiating with Kestrel is:
Windows Server 2012 R2:
Windows Server 2012 R2:
[0A0A] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA9] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA8] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[009D] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
Windows 10:
Windows 10:
[3A3A] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA9] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA8] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[009D] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
最上面的一行是不同的,仅此而已.不知道这是什么,它是一些 GREASE 值.
The top line is different, but that is all. Not sure what is it, it is some GREASE value.
Program.cs:
Program.cs:
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(opts => {
opts.ListenAnyIP(5000);
opts.ListenAnyIP(5001, listenOpts => {
listenOpts.UseHttps(new HttpsConnectionAdapterOptions {
ServerCertificate = new X509Certificate2("certificate-server.pfx", "...")
});
});
opts.Limits.MaxRequestBodySize = null;
})
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>();
}
更新
由于@ chris-pratt,我似乎走在正确的轨道上.将证书密码更改为 ECDSA_nistP256 可使Web应用程序正常工作.但是不幸的是,我还在使用证书来签名JWT令牌,现在它被打破了:
Update
Seems I am on the right track thanks to @chris-pratt. Changing the certificate cipher to ECDSA_nistP256 make the web application work. But unfortunately I am using the cert to also sign the JWT tokens, and now that is broken with:
System.NotSupportedException:证书密钥算法不正确支持的.在System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
System.NotSupportedException: The certificate key algorithm is not supported. at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
签名代码为:
var privateKey = new X509SecurityKey(new X509Certificate2("certificate-server.pfx", "..."));
var token = new JwtSecurityToken(
issuer: "Sentry",
claims: claims,
notBefore: DateTime.Now,
expires: DateTime.Now.AddDays(1),
signingCredentials: new SigningCredentials(privateKey, SecurityAlgorithms.RsaSha256Signature));
return new JwtSecurityTokenHandler().WriteToken(token);
我尝试更改 SecurityAlgorithms 枚举,但未成功.
I tried changing the SecurityAlgorithms enum but did not get any success.
推荐答案
Windows 2012 R2不支持HTTP/2允许的密码套件.我假设从Core 3.0开始,默认情况下启用了HTTP/2协议.我通过在kestrel中禁用HTTP/2来解决我的问题,如下所示:
Windows 2012 R2 does not support the cypher suites that are allowed for HTTP/2. I assume that starting with Core 3.0 the HTTP/2 protocol is enabled by default. I solved my problem by disabling HTTP/2 in kestrel as follows:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args).ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseKestrel(options =>
{
options.Listen(System.Net.IPAddress.Parse(DomainIp), 80);
options.Listen(System.Net.IPAddress.Parse(DomainIp), 443, l =>
{
l.UseHttps(
DomainCertificateFile,
DomainCertificatePassword);
l.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http1;
});
});
webBuilder.UseStaticWebAssets();
webBuilder.UseStartup<Startup>();
});
这篇关于由于ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY,ASP.NET Core 3.0应用程序无法在Windows Server 2012 R2上运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
