C＃HttpWebRequest SEC_I_RENEGOTIATE间歇性错误 [英] C# HttpWebRequest SEC_I_RENEGOTIATE Intermittent Errors

问题描述

我正在使用C＃（.Net框架3.5）应用程序中的SSL POST调用处理登录/注销功能。通过HttpWebRequest :: BeginGetResponse（）从服务器获取响应80％的时间，但其他20％是间歇性地抛出：

I'm working on login / logout functionality using SSL POST calls in a C# (.Net framework 3.5) application. Getting the response from the server via HttpWebRequest::BeginGetResponse() works 80% of the time, but the other 20% it is intermittently throwing:

The request was aborted: Could not create SSL/TLS secure channel.

我使用建议另一个问题的文章。这在请求跟踪中产生了两种不同的模式。

I enabled SSL tracing using the suggested article from another question. That produced two distinct patterns in the request traces.

似乎在执行期间，错误：

It seems that during execution, the error:

System.Net Error: 0 : [3680] Decrypt returned SEC_I_RENEGOTIATE.

，导致重新启动安全上下文。当这种情况发生时，它是成功的，这里是输出（注意我省略了实际的地址）：

is being received, causing re-init of the security context. When this happens, and it is successful, here is the output (noted that I omitted the actual address):

System.Net Error: 0 : [3680] Decrypt returned SEC_I_RENEGOTIATE.
System.Net Information: 0 : [3680] InitializeSecurityContext(credential =   System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3680] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=78, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=1259, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [7148] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0a8a8, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7148] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
System.Net Information: 0 : [7148] Remote certificate: [Version]
  V1

失败时：

System.Net Error: 0 : [3680] Decrypt returned SEC_I_RENEGOTIATE.
System.Net Information: 0 : [3680] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4bec0d0:4c0ab50, targetName = [omitted].com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3680] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=78, returned code=ContinueNeeded).
System.Net Error: 0 : [3680] Exception in the HttpWebRequest#20730349:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Verbose: 0 : [3680] HttpWebRequest#20730349::EndGetResponse()
System.Net Error: 0 : [3680] Exception in the HttpWebRequest#20730349::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel.

我当然可以抓住这个异常，但是正确的处理是什么？

I can of course catch this exception, but what is the proper handling?

我的应用程序是否有办法防止（或正确处理）这些错误？发生这种情况似乎一段时间不断出现错误，但是在一些不确定的请求数后，再次开始工作。

Is there a way for my application to prevent (or properly handle) these errors? When it happens it seems to error constantly for a time, but then start to work again after some undetermined number of requests.

谢谢！

推荐答案

（原始答案见下文。）

这个错误通常意味着你的客户端和服务器未设置为使用相同类型的加密。通常，最简单的修复方法是明确地设置客户端中使用的版本。

What this error usually means is that your client and server are not set to use the same type of encryption. Often, the simplest method of fixing this is explicitly setting the version to use in the client.

如果您使用的是.NET 4.5或更高版本，则可以使用以下选项： ，从最安全到最不安全：

If you are using .NET 4.5 or newer, here are the options to try, in order from most secure to least secure:

• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;


• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;


• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;
• ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

如果您使用的是.NET 4.0或更早版本，您只能使用上面的最后一行，因为这些版本不支持TLSv1.1和TLSv1.2。

If you are using .NET 4.0 or older, you can only use the last line above, as those versions do not support TLSv1.1 and TLSv1.2. It is highly recommended that you upgrade to .NET 4.5 to take advantage of TLSv1.2 support.

除了设置 SecurityProtocol 属性，您可能还需要设置： ServicePointManager.Expect100Continue = true;

In addition to setting the SecurityProtocol property, you may also have to set: ServicePointManager.Expect100Continue = true;

如果这些设置都没有帮助，可能意味着您的服务器仅支持SSLv3（或更糟糕的是，SSLv2）。如果是这种情况，请升级您的服务器！ SSLv3已损坏，不应再使用。

If none of these settings helps, it likely means that your server only supports SSLv3 (or, even worse, SSLv2). If that is the case, upgrade your server! SSLv3 is broken and should no longer be used.

SSLv3没有被认为是安全的。不要使用这些设置！虽然这是2011年的正确答案，但由于历史原因，它仍然在这里。

SSLv3 is NO LONGER considered secure. DO NOT use these settings! While this was the correct answer in 2011, it remains here only for historical reasons.

您需要添加在您的请求之前的以下代码行：

You need to add the following lines of code before your request:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

从我看到的旧版本（.NET 2和/或Windows xp / 2003及更早版本）使用这些作为默认选项，但较新版本（.NET 3和/或Windows Vista / 2008及更高版本）不。

From what I have seen, older versions (.NET 2 and/or Windows xp/2003 and older) used these as the default options but newer versions (.NET 3 and/or Windows Vista/2008 and newer) do not.

这篇关于C＃HttpWebRequest SEC_I_RENEGOTIATE间歇性错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！