使用TLS 1.2将客户端连接到TCP服务器
[英]Connecting a client to a TCP server using TLS 1.2
问题描述
I'm trying with no luck to connect a device to a .Net (4.5.2) server. 
我正在努力将设备连接到.Net(4.5.2)服务器。 It's a TCP connection opened by the device, that uses TLS 1.2. 它是由设备打开的TCP连接,使用TLS 1.2。
- On the server side, I have a standard .Net implementation of a TCP Server:
SslStreamwrapped through DotNetty在服务器端,我有一个TCP服务器的标准.Net实现: SslStream通过DotNetty包装 - I cannot change anything on the device 我无法更改设备上的任何内容
Any .Net client can successfully connect to my server using a secured TLS connection. 任何.Net客户端都可以使用安全的TLS连接成功连接到我的服务器。 It's working when trying with CURL too, so I've concluded my TCP server works fine. 它在使用CURL时也正常工作,所以我得出结论我的TCP服务器工作正常。
So I've compared (using Wireshark) what was sent by a working client from what was sent by the device that cannot connect. 所以我比较了(使用Wireshark)工作客户端发送的内容与无法连接的设备发送的内容。 The significant difference I found is the absence (for the device) of the Server Name Extension (SNI) inside the Client Hello TLS message. 我发现的显着差异是客户端Hello TLS消息中缺少(对于设备) 服务器名称扩展(SNI) 。
Next thing I tried is to manually send data to my server using Pcap.Net , ie to manually send TCP SYN/TCP ACK/Client Hello messages using raw byte arrays (raw data I got (thanks to Wireshark) from the device trying to connect to my server). 我接下来尝试的是使用Pcap.Net手动将数据发送到我的服务器,即使用原始字节数组手动发送TCP SYN / TCP ACK /客户端Hello消息(我从尝试连接的设备获得的原始数据(感谢Wireshark)到我的服务器)。 I confirmed that tweaking the non-working Client Hello raw byte array by adding the Server Name extension causes my TLS handshake to work. 我确认通过添加服务器名称扩展来调整不工作的客户端Hello原始字节数组会导致我的TLS握手工作。
So obviously I got an issue with clients that don't include the SNI extension and a server that refuses the handshake if this information is not present. 所以很明显我遇到了一个问题,那就是不包含SNI扩展的客户端和一个拒绝握手的服务器,如果这个信息不存在的话。
How could I change the way my TCP server behave to accept client that don't provide the Server Name extension? 如何更改TCP服务器接受不提供服务器名称扩展的客户端的行为方式? Is it possible in the first place using the standard .Net SslStream class? 是否有可能首先使用标准的.Net SslStream类?
AFAIK, the SNI extension is not mandatory, and it's up to the client to decide whether or not to use it, so the server should theoretically accept a Client Hello message without it. AFAIK,SNI扩展不是强制性的,由客户决定是否使用它,因此服务器理论上应该接受没有它的客户端Hello消息。
Any pointer would be greatly appreciated. 任何指针都将非常感激。
1 个解决方案
解决方案1
1 2016-11-03 08:55:10
.Net 4.5.2 supports TLS1.2 but it is disabled by default. .Net 4.5.2支持TLS1.2,但默认情况下禁用。
For enabling it you have to explicitly define the security protocol set. 要启用它,您必须明确定义安全协议集。
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
for more information see the following link https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol%28v=vs.110%29.aspx 有关更多信息,请参阅以下链接https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol%28v=vs.110%29.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.