堆栈内存溢出
  简体   繁体   English

TLS连接握手失败

[英]TLS connection handshake Failure

 原文  2014-11-07 13:14:13       c#/ ssl/ paypal/ https

问题描述

We have difficulties to make https connections to the remote machines (like PayPal vb.) who disabled SSL3 protocol from our .Net application. 我们很难与从.Net应用程序禁用SSL3协议的远程计算机(如PayPal vb。)建立https连接。 We are getting following exception on GetResponse method of HttpWebRequest instance. 我们在HttpWebRequest实例的GetResponse方法上遇到以下异常。

The request was aborted: Could not create SSL/TLS secure channel. 请求已中止:无法创建SSL / TLS安全通道。

When we go depth and trace network logs with WireShark, we see that remote machine return the following error 当我们使用WireShark深度和跟踪网络日志时,我们看到远程机器返回以下错误

TLSv1.2 Alert (Level: Fatal, Description: Handshake Failure) Handshake Failure 40 TLSv1.2警报(级别:致命,描述:握手失败)握手失败40

More interesting situation is when I try enter to PayPal address to the internet browser, it can successfully open the page, which means that connection can be established, We also try to connect with OpenSSL command tool, result is again succesfully connected. 更有趣的情况是当我尝试输入PayPal地址到互联网浏览器时,它可以成功打开页面,这意味着可以建立连接,我们也尝试连接OpenSSL命令工具,结果再次成功连接。

When we compare the WireShark logs of InternetExplorer and .Net application we can see that Internet Explorer is sending more available cipher suites than .Net application, and also PayPal is selecting the following cipher which is not in .Net applications requests. 当我们比较InternetExplorer和.Net应用程序的WireShark日志时,我们可以看到Internet Explorer正在发送比.Net应用程序更多的可用密码套件,并且PayPal正在选择以下不在.Net应用程序请求中的密码。

TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA

Followings are captured logs from WireShark: 以下是WireShark捕获的日志:

ServerMachine:.Net application Client Hello ServerMachine:.Net应用程序客户端Hello .Net应用程序客户端您好 ServerMachine:.Net application Server Response ServerMachine:.Net应用程序服务器响应 .Net应用程序服务器响应 ServerMachine:InternetExplorer Client Hello ServerMachine:InternetExplorer客户端您好 IE客户端你好 ServerMachine:InternetExplorer Server Hello ServerMachine:InternetExplorer服务器您好 IE服务器你好

Followings are captured from our development machines which is working without a problem. 从我们的开发机器中捕获了以下内容,这些机器正常运行。 DevMachine:.Net application Client Hello DevMachine:.Net应用程序客户端Hello 开发环境中的.Net应用程序客户端Hello DevMachine:.Net application Server Hello DevMachine:.Net application Server Hello 开发环境中的.Net应用服务器Hello

What we think that PayPal doesn't like our Cipher Suites that we send on "Client Hello" request from .Net application. 我们认为PayPal不喜欢我们通过.Net应用程序发送的“客户端Hello”请求发送的密码套件。

More more interesting situation is this problem only occured on our production machines which are running Windows 2008 R2, everythins is working on our dev enviroment with Windows Server 2008 R2 and Windows 8 pcs. 更有趣的情况是这个问题只出现在运行Windows 2008 R2的我们的生产机器上,Everythins正在使用Windows Server 2008 R2和Windows 8 pc开发我们的开发环境。

Please give us some idea to solve this problem. 请给我们一些解决这个问题的想法。

Following is our C# code to connect PayPal api. 以下是连接PayPal api的C#代码。 

HttpWebRequest wr = (HttpWebRequest)WebRequest.Create("https://api-3t.sandbox.paypal.com/2.0/");

wr.Method = "POST";
wr.ContentType = "application/x-www-form-urlencoded";


string output = null;
try
{
    WebResponse wres = wr.GetResponse();
    Stream ress = wres.GetResponseStream();
    StreamReader ressr = new StreamReader(ress, Encoding.UTF8);
    output = ressr.ReadToEnd();
}
catch (System.Net.WebException webEx)
{
    if (webEx.Response != null)
    {
        WebResponse wres = webEx.Response;
        Stream ress = wres.GetResponseStream();
        StreamReader ressr = new StreamReader(ress);
        output = ressr.ReadToEnd();
    }
    else
        throw webEx;

}
catch (Exception ex)
{
    throw ex;
}

Best Regards 最好的祝福

1 个解决方案

解决方案1
 3 已采纳  2014-11-07 14:53:07

What we think that PayPal doesn't like our Cipher Suites that we send on "Client Hello" request from .Net application. 我们认为PayPal不喜欢我们通过.Net应用程序发送的“客户端Hello”请求发送的密码套件。

This is correct. 这是对的。 If you look at ssllabs you will see, that api-3t.sandbox.paypal.com supports only RC4-SHA (TLS_RSA_WITH_RC4_128_SHA) which is not included in your cipher set. 如果你看一下ssllabs,你会看到,api-3t.sandbox.paypal.com只支持RC4-SHA(TLS_RSA_WITH_RC4_128_SHA),它不包含在你的密码集中。

More more interesting situation is this problem only occured on our production machines which are running Windows 2008 R2 更有趣的情况是这个问题只发生在运行Windows 2008 R2的生产机器上

It might be that you've added some hardening to the production systems and disabled RC4-SHA, because this cipher is considered insecure. 可能是您已经为生产系统添加了一些强化并禁用了RC4-SHA,因为这种密码被认为是不安全的。 See Microsoft Technet for a matching recommendation which you have probably implemented. 有关您可能已实施的匹配建议,请参阅Microsoft Technet

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 TLS致命:握手失败 - TLS Fatal: Handshake Failure (0x80131904):连接已成功建立......(提供者:SSL 提供者,错误:31 - 加密(ssl/tls)握手失败) - (0x80131904): A connection was successfully established.... (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed) 仅允许TLS 1.0后,仍可以进行TLS 1.2握手 - TLS 1.2 handshake still possible after only allowing TLS 1.0 来自…tls的TLS握手错误:客户端未提供证书 - TLS handshake error from … tls: client didn't provide a certificate 与SslStream的XMPP TLS连接 - XMPP TLS connection with SslStream AspNetCore SignalR 连接握手失败 - AspNetCore SignalR failed connection handshake Xamarin / Mono Mac - AppStore版本中的握手失败 - Xamarin/Mono Mac - Handshake failure in AppStore build 如何从服务器检查协商的TLS握手? - How do you check the Negotiated TLS Handshake from the Server? 在 Service Fabric 应用程序中禁用 TLS 握手客户端证书请求 - Disable TLS Handshake Client Certificate Request in Service Fabric Application TLS连接:覆盖证书验证 - TLS connection: override certificate validation
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM