在初始握手期间使 IIS 需要 SSL 客户端证书 [英] Make IIS require SSL client certificate during initial handshake

问题描述

我正在尝试将 IIS 网站配置为需要 SSL 客户端证书.该网站是在 IIS 6 和 7 中设置的，但我更感兴趣的是使其适用于 7.我在 IIS 中设置了需要客户端证书属性，并且在通过 Web 浏览器访问该站点时它工作正常，但是 Java-客户端无法访问它.

I am trying to configure an IIS website to require SSL client certificates. The website is set up in both IIS 6 and 7, though I am more interested in making it work for 7. I set the require client certificates property in IIS and it works fine when accessing the site through a web browser, but a Java-based client is having trouble accessing it.

我认为问题在于 IIS 在初始 SSL 握手期间没有请求客户端证书.相反，它会协商正常的 SSL 连接，检查资源是否需要客户端证书，如果需要，则启动新的 SSL 握手请求客户端证书.IIS 这样做是为了支持仅需要某些资源的客户端证书的站点.即使为整个网站指定了要求，IIS 仍会发起两次 SSL 握手.我想强制 IIS 在第一次 SSL 握手时请求客户端证书，这有望为客户端工作.(客户端是由外部合作伙伴开发的，我几乎不知道它是如何设置的，也无法访问其源代码)

I believe the problem is that IIS does not request a client certificate during the initial SSL handshake. Instead it negotiates a normal SSL connection, checks to see if the resource requires client certificates, and if it does it then initiates a new SSL handshake that requests a client certificate. IIS does this so support sites that only require the client certificates for certain resources. Even when the requirement is specified for the entire website, IIS still initiates two SSL handshakes. I want to force IIS to request the client certificate on the first SSL handshake, which will hopefully get things working for the client. (The client is developed by an external partner and I have virtually no knowledge of how it is set up and no access to its source code)

有没有人在 IIS 中处理过这个问题?

Has anyone dealt with this problem in IIS before?

推荐答案

我花了一段时间才找到这个元数据库设置.我们的客户在使用新的 certicom 库时遇到了同样的问题.自从发现围绕 SSL Renegotiation 的 MITM 攻击以来，很多圈子的答案都是挂断重新协商请求.

It took me a while to find this metabase setting. We were having this same problem with our client using the new certicom libraries. Since the discovery of the MITM attack arround SSL Renegotiation, the answer in alot of circles has been to hangup on renegotitation requests.

从 inetpubadminscripts 运行以下 cmd 将强制 IIS 始终请求客户端证书.

running the following cmd from inetpubadminscripts will force IIS to always request a client certificate.

对于 IIS 6:cscript adsutil.vbs set w3svcsiteIDSSLAlwaysNegoClientCert True

For IIS 6: cscript adsutil.vbs set w3svcsiteIDSSLAlwaysNegoClientCert True

(所以对于默认网站，cscript adsutil.vbs set w3svc1SSLAlwaysNegoClientCert True)

(So for the default website, cscript adsutil.vbs set w3svc1SSLAlwaysNegoClientCert True)

请记住，某些客户端 Internet Explorer 在收到该数据包时会提示输入客户端证书，无论是否需要客户端证书.

Keep in mind that some clients Internet Explorer prompt for client certificates when it recieves that packet wether the client certificate is needed or not.

对于 IIS 7:

将以下文本保存到名为Enable_SSL_Renegotiate_Workaround.js"的文件中

Save the following text to a file called "Enable_SSL_Renegotiate_Workaround.js"

var vdirObj=GetObject("IIS://localhost/W3svc/1"); 
// replace 1 on this line with the number of the web site you wish to configure 

WScript.Echo("Value of SSLAlwaysNegoClientCert Before: " + vdirObj.SSLAlwaysNegoClientCert); 
vdirObj.Put("SSLAlwaysNegoClientCert", true); 
vdirObj.SetInfo(); 
WScript.Echo("Value of SSLAlwaysNegoClientCert After: " + vdirObj.SSLAlwaysNegoClientCert);

从提升的/管理员命令提示符运行以下命令:

Run the following command from an elevated / administrator command prompt:

cscript.exe enable_ssl_renegotiate_workaround.js

cscript.exe enable_ssl_renegotiate_workaround.js

(从 977377 的知识库文章中提取)

(Jacked from the KB article for 977377)

这篇关于在初始握手期间使 IIS 需要 SSL 客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！