使用 TLS 1.2 将客户端连接到 TCP 服务器 [英] Connecting a client to a TCP server using TLS 1.2

问题描述

我正在尝试将设备连接到 .Net (4.5.2) 服务器，但没有成功.这是设备打开的 TCP 连接，使用 TLS 1.2.

I'm trying with no luck to connect a device to a .Net (4.5.2) server. It's a TCP connection opened by the device, that uses TLS 1.2.

• 在服务器端，我有一个 TCP 服务器的标准 .Net 实现:SslStream 包裹在 DotNetty
• 我无法更改设备上的任何内容

任何 .Net 客户端都可以使用安全的 TLS 连接成功连接到我的服务器.尝试使用 CURL 时它也能正常工作，所以我得出结论我的 TCP 服务器工作正常.

Any .Net client can successfully connect to my server using a secured TLS connection. It's working when trying with CURL too, so I've concluded my TCP server works fine.

所以我比较了(使用 Wireshark)工作客户端发送的内容和无法连接的设备发送的内容.我发现的显着区别是没有(对于设备)服务器名称扩展 (SNI) 在 Client Hello TLS 消息中.

So I've compared (using Wireshark) what was sent by a working client from what was sent by the device that cannot connect. The significant difference I found is the absence (for the device) of the Server Name Extension (SNI) inside the Client Hello TLS message.

接下来我尝试的是使用 Pcap.Net 手动将数据发送到我的服务器，即使用原始字节数组(我从尝试连接到我的服务器的设备获得的原始数据(感谢 Wireshark))手动发送 TCP SYN/TCP ACK/Client Hello 消息.我确认通过添加服务器名称扩展来调整非工作 Client Hello 原始字节数组会导致我的 TLS 握手工作.

Next thing I tried is to manually send data to my server using Pcap.Net, i.e. to manually send TCP SYN/TCP ACK/Client Hello messages using raw byte arrays (raw data I got (thanks to Wireshark) from the device trying to connect to my server). I confirmed that tweaking the non-working Client Hello raw byte array by adding the Server Name extension causes my TLS handshake to work.

很明显，我遇到了不包含 SNI 扩展的客户端和如果不存在此信息则拒绝握手的服务器的问题.

So obviously I got an issue with clients that don't include the SNI extension and a server that refuses the handshake if this information is not present.

我怎样才能改变我的 TCP 服务器的行为方式来接受不提供服务器名称扩展的客户端?首先是否可以使用标准的 .Net SslStream 类?

How could I change the way my TCP server behave to accept client that don't provide the Server Name extension? Is it possible in the first place using the standard .Net SslStream class?

AFAIK，SNI 扩展不是强制性的，由客户端决定是否使用它，所以服务器应该理论上接受没有它的 Client Hello 消息.

AFAIK, the SNI extension is not mandatory, and it's up to the client to decide whether or not to use it, so the server should theoretically accept a Client Hello message without it.

任何指针将不胜感激.

推荐答案

.Net 4.5.2 支持 TLS1.2，但默认禁用.

.Net 4.5.2 supports TLS1.2 but it is disabled by default.

要启用它，您必须明确定义安全协议集.

For enabling it you have to explicitly define the security protocol set.

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

有关更多信息，请参阅以下链接https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol%28v=vs.110%29.aspx

for more information see the following link https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol%28v=vs.110%29.aspx

这篇关于使用 TLS 1.2 将客户端连接到 TCP 服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！