C# HttpWebRequest SEC_I_RENEGOTIATE 间歇性错误 [英] C# HttpWebRequest SEC_I_RENEGOTIATE Intermittent Errors

问题描述

我正在 C#(.Net 框架 3.5)应用程序中使用 SSL POST 调用处理登录/注销功能.通过 HttpWebRequest::BeginGetResponse() 从服务器获取响应的时间为 80%，但另外 20% 的时间为间歇性抛出:

I'm working on login / logout functionality using SSL POST calls in a C# (.Net framework 3.5) application. Getting the response from the server via HttpWebRequest::BeginGetResponse() works 80% of the time, but the other 20% it is intermittently throwing:

The request was aborted: Could not create SSL/TLS secure channel.

我使用来自另一个问题的建议文章启用了 SSL 跟踪.这在请求跟踪中产生了两种不同的模式.

I enabled SSL tracing using the suggested article from another question. That produced two distinct patterns in the request traces.

好像在执行过程中，报错:

It seems that during execution, the error:

System.Net Error: 0 : [3680] Decrypt returned SEC_I_RENEGOTIATE.

正在接收，导致重新初始化安全上下文.当这种情况发生并且成功时，输出如下(注意我省略了实际地址):

is being received, causing re-init of the security context. When this happens, and it is successful, here is the output (noted that I omitted the actual address):

System.Net Error: 0 : [3680] Decrypt returned SEC_I_RENEGOTIATE.
System.Net Information: 0 : [3680] InitializeSecurityContext(credential =   System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3680] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=78, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=1259, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
System.Net Information: 0 : [7148] Remote certificate: [Version]
  V1

失败时:

System.Net Error: 0 : [3680] Decrypt returned SEC_I_RENEGOTIATE.
System.Net Information: 0 : [3680] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0ab50, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3680] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=78, returned code=ContinueNeeded).
System.Net Error: 0 : [3680] Exception in the HttpWebRequest#20730349:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Verbose: 0 : [3680] HttpWebRequest#20730349::EndGetResponse()
System.Net Error: 0 : [3680] Exception in the HttpWebRequest#20730349::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel.

我当然可以捕捉到这个异常，但正确的处理是什么?

I can of course catch this exception, but what is the proper handling?

我的应用程序有什么方法可以防止(或正确处理)这些错误?当它发生时，它似乎在一段时间内不断出错，但在一些不确定数量的请求后又开始工作.

Is there a way for my application to prevent (or properly handle) these errors? When it happens it seems to error constantly for a time, but then start to work again after some undetermined number of requests.

谢谢！

推荐答案

(原答案见下文.)

此错误通常意味着您的客户端和服务器未设置为使用相同类型的加密.通常，解决此问题的最简单方法是明确设置要在客户端中使用的版本.

What this error usually means is that your client and server are not set to use the same type of encryption. Often, the simplest method of fixing this is explicitly setting the version to use in the client.

如果您使用 .NET 4.5 或更新版本，以下是可以尝试的选项，按照从最安全到最不安全的顺序:

If you are using .NET 4.5 or newer, here are the options to try, in order from most secure to least secure:

• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;
• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

如果您使用 .NET 4.0 或更早版本，则只能使用上面的最后一行，因为这些版本不支持 TLSv1.1 和 TLSv1.2.强烈建议您升级到 .NET 4.5 以利用 TLSv1.2 支持.

If you are using .NET 4.0 or older, you can only use the last line above, as those versions do not support TLSv1.1 and TLSv1.2. It is highly recommended that you upgrade to .NET 4.5 to take advantage of TLSv1.2 support.

除了设置SecurityProtocol 属性外，您可能还需要设置:ServicePointManager.Expect100Continue = true;

In addition to setting the SecurityProtocol property, you may also have to set: ServicePointManager.Expect100Continue = true;

如果这些设置都没有帮助，则可能意味着您的服务器仅支持 SSLv3(或者更糟的是 SSLv2).如果是这种情况，请升级您的服务器！ SSLv3 已损坏，不应再使用.

If none of these settings helps, it likely means that your server only supports SSLv3 (or, even worse, SSLv2). If that is the case, upgrade your server! SSLv3 is broken and should no longer be used.

SSLv3 不再被认为是安全的.请勿使用这些设置！虽然这是 2011 年的正确答案，但仅出于历史原因保留在这里.

SSLv3 is NO LONGER considered secure. DO NOT use these settings! While this was the correct answer in 2011, it remains here only for historical reasons.

您需要在请求前添加以下代码行:

You need to add the following lines of code before your request:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

据我所知，旧版本(.NET 2 和/或 Windows xp/2003 及更早版本)使用这些作为默认选项，但新版本(.NET 3 和/或 Windows Vista/2008 及更高版本)没有.

From what I have seen, older versions (.NET 2 and/or Windows xp/2003 and older) used these as the default options but newer versions (.NET 3 and/or Windows Vista/2008 and newer) do not.

这篇关于C# HttpWebRequest SEC_I_RENEGOTIATE 间歇性错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！