客户端和服务器无法通信,因为它们在Windows Server 2008 Web上不具有通用算法
[英]The client and server cannot communicate, because they do not possess a common algorithm on Windows Server 2008 Web
问题描述
I am working on a ASP.Net WebForms application. 
我正在研究ASP.Net WebForms应用程序。 We are using PayFort's Start API for the payment process. 我们正在使用PayFort的Start API进行付款。 The application is running fine on our local machine (Windows 10) but it shows following error when we try to make payment using their API on our deployment server (Windows Server Web 2008). 该应用程序在我们的本地计算机(Windows 10)上运行良好,但是当我们尝试在部署服务器(Windows Server Web 2008)上使用其API进行付款时,会显示以下错误。
The client and server cannot communicate, because they do not possess a common algorithm.
The documentation on their webpage ( PayFort Start and SSL/TLS ) states that they use Tls1.2 for the communication. 他们网页上的文档( PayFort Start和SSL / TLS )表明他们使用Tls1.2进行通信。 Their API already contains the code to use Tls1.2 as Security Protocol 他们的API已经包含使用Tls1.2作为安全协议的代码
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
We've built the application on .Net framework 4.5 since Tls1.2 only supported by .Net 4.5 or later. 由于Tls1.2仅受.Net 4.5或更高版本支持,因此我们已在.Net Framework 4.5上构建了该应用程序。 Needless to mention, our server has .Net Framework 4.5 installed in it. 不用说,我们的服务器中安装了.Net Framework 4.5。
We've also added the registry values for Tls1.1 and Tls1.2 in the windows registry 我们还在Windows注册表中添加了Tls1.1和Tls1.2的注册表值
Using the SSL Labs tool , we've also confirmed that there are atleast two Cipher suites supported by both servers (our server and PayFort's API Server) ( https://api.start.payfort.com ) 使用SSL Labs工具 ,我们还确认了两个服务器(我们的服务器和PayFort的API服务器)至少支持两种密码套件( https://api.start.payfort.com )
Cipher suites supported by PayFort's API Server PayFort的API服务器支持的密码套件 (Green outlined are those which are common with our server)
(绿色是我们的服务器常见的那些)
Cipher Suites supported by our server 我们的服务器支持的密码套件
I've also used the Nartac IIS crypto software and it's showing the following info as Best Practices 我还使用了Nartac IIS加密软件,并且将以下信息显示为Best Practices
I'm not sure if it has anything to do with the problem or not, but here are the details of the SSL certificate installed in our server 我不确定是否与问题有关,但这是我们服务器中安装的SSL证书的详细信息
Can anyone please point out that what we are doing wrong and what should we do in order to communicate with the desired server and make payment from the application deployed on our server as we are doing perfectly on our local machine. 谁能指出我们做错了什么,我们应该做些什么,以便与所需的服务器通信,并从部署在服务器上的应用程序中付款,因为我们在本地计算机上做得很好。
3 个解决方案
解决方案1
2 已采纳 2016-02-03 07:39:47
The problem was the Operating system. 问题出在操作系统上。 We were using Windows Server 2008 and we didn't realize the application need OS's protocol to communicate with other server. 我们使用Windows Server 2008,但没有意识到应用程序需要OS的协议才能与其他服务器进行通信。 Since we have .NET Framework 4.5 installed and we were also using the code ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; 由于已经安装了.NET Framework 4.5,并且我们还使用了代码ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; to force application to use Tls1.2 (according to the requirement), hence believed that everything should work fine, but obviously this wasn't going to happen. 强制应用程序使用Tls1.2 (根据要求),因此认为一切都可以正常工作,但是显然这不会发生。
tl;dr; tl; dr; We installed Windows Server 2012 on the machine and the application is running fine now (as it should) 我们在计算机上安装了Windows Server 2012 ,并且该应用程序现在可以正常运行(应该正常运行)
解决方案2
1 2016-01-26 05:34:47
I'm with the Payfort Start team. 我在Payfort Start团队中。 We've got a page here that helps describe this issue in more detail. 我们这里有一个页面,可帮助您更详细地描述此问题。 Essentially, your API client (the library you're using to make the HTTPS request) has to support TLS1.2. 本质上,您的API客户端(用于发出HTTPS请求的库)必须支持TLS1.2。 The Start API will reject any request that doesn't support TLS1.2 at a minimum. Start API将至少拒绝任何不支持TLS1.2的请求。
It would appear that the WebRequest does support TLS 1.1 and 1.2, but you have to turn them on manually. WebRequest似乎确实支持TLS 1.1和1.2,但是您必须手动将其打开。 You can refer to this answer for the fix. 您可以参考此答案以解决此问题。
To verify that your client supports TLS1.2 , you can send a GET request from your application to https://www.howsmyssl.com/a/check and read the response. 要验证您的客户端是否支持TLS1.2 ,您可以将GET请求从您的应用程序发送到https://www.howsmyssl.com/a/check并读取响应。
In cURL: 在cURL中:
> curl -X GET https://www.howsmyssl.com/a/check
Returns: 返回值:
{
given_cipher_suites: [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_RC4_128_MD5",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
],
ephemeral_keys_supported: true,
session_ticket_supported: true,
tls_compression_supported: false,
unknown_cipher_suite_supported: false,
beast_vuln: false,
able_to_detect_n_minus_one_splitting: false,
insecure_cipher_suites: {
"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA": [
"uses keys smaller than 128 bits in its encryption"
]
},
tls_version: "TLS 1.2",
rating: "Bad"
}
Look out for the tls_version at the end. 最后请注意tls_version 。
解决方案3
1 2016-01-26 07:23:09
I hope this can clarify your situation a bit and help: 我希望这可以澄清您的情况并为您提供帮助:
1 Confirm that app is running under .net 4.5 (or higher). 1确认应用程序正在.net 4.5(或更高版本)下运行。
TLS 1.2 is supported in 4.5+. TLS 1.2在4.5+中受支持。 To get actual version of .net framework you app is running under: https://msdn.microsoft.com/en-us/library/system.environment.version(v=vs.110).aspx 要获取.net框架的实际版本,您的应用将在以下位置运行: https : //msdn.microsoft.com/zh-cn/library/system.environment.version(v=vs.110).aspx
2 Enable TLS 1.2 in Windows Registry. 2在Windows注册表中启用TLS 1.2。
I just found this link to be useful with enabling TLS 1.2 The client and server cannot communicate, because they do not possess a common algorithm 我刚刚发现此链接对于启用TLS 1.2很有用。客户端和服务器无法通信,因为它们没有通用的算法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.