尝试在带有.net 4.0的XP sp3上运行TLS1.2
[英]Trying to run TLS1.2 on XP sp3 with .net 4.0
问题描述
Before we begin, I am aware the proper thing would be to upgrade the OS. 
在开始之前,我知道正确的事情是升级操作系统。 I am trying to work around this issue and as you might imagine there are a lot of dead ends. 我正在尝试解决此问题,并且您可能会想到有很多死胡同。 I found something that seems to work but I am not clear on why specifically and looking for some help. 我发现了一些似乎可行的方法,但是不清楚为什么要专门寻找帮助。
Windows XP does not support SSL/TLS 1.1/1.2 Windows XP不支持SSL / TLS 1.1 / 1.2
Source 1 来源1
Source 2 来源2
.Net 4.0 does not support TLS 1.2 .Net 4.0不支持TLS 1.2
Source 3 来源3
.Net 4.5+ does support TLS 1.2 but cannot be installed on XP .Net 4.5+确实支持TLS 1.2,但不能安装在XP上
Source 4 Source 5 来源4 来源5
If you override ServerCertificateValidationCallback with your own cert validation it works. 如果您使用自己的证书验证覆盖ServerCertificateValidationCallback,那么它将起作用。 Why? 为什么? What is going on? 到底是怎么回事? Is it really working? 真的有效吗? Its appears to be communicating over SSL. 它似乎正在通过SSL通信。 Network operations assures me there is no fall back SSL/TLS on the server. 网络操作可确保我在服务器上没有后备SSL / TLS。
Alternatives: Get self signed cert for older TLS 1.0, cant get this from CA anymore 替代方案:获取旧版TLS 1.0的自签名证书,无法再从CA获得此证书
use other C++ library or similar that supports TLS 1.2 and call it from .NET 使用其他支持TLS 1.2的C ++库或类似库,并从.NET调用它
UPDATE 1: I still dont know why the ServerCertificateValidationCallback seems to work. 更新1:我仍然不知道为什么ServerCertificateValidationCallback似乎起作用。 Now I am looking to see what Cipher Suite is supported by specifically XP SP3. 现在,我希望了解XP SP3特别支持哪些Cipher Suite。 I am looking at packets and using this article as a guide. 我正在查看数据包,并以本文为指导。 As was pointed out, even if I find an alternative library if the Cipher Suite is not being served or accepted I am still no go with a solution. 如前所述,即使没有提供或接受密码套件,即使我找到了一个替代库,也仍然没有解决的办法。
I did try SecureBlackBox with some success (was TLS1.2) but I could not get it to authorize the cert from the cert authority. 我确实尝试了SecureBlackBox并取得了一些成功(当时是TLS1.2),但是我无法从证书颁发机构获得它来授权证书。 https://www.eldos.com/sbb/ https://www.eldos.com/sbb/
UPDATE 2: Learning a lot of how this works Thank you Mr Ullrich et. 更新2:了解很多工作原理谢谢Ullrich先生等。 al. 人。
UPDATE 3: At this point I am looking at using an Apache Proxy on the XP machine to do the TLS1.2 SHA256 CA verification communication (Non Windows Stack) and having my .net 4.0 communication to talk to this proxy locally (on machine), while any communication leaving the machine is properly secured. 更新3:此时,我正在考虑使用XP计算机上的Apache代理来执行TLS1.2 SHA256 CA验证通信(非Windows堆栈),并使.net 4.0通信与本地(在计算机上)与该代理通信,而离开本机的任何通信均得到正确保护。
1 个解决方案
解决方案1
0 2017-02-24 15:38:09
The certificate and the validation of the certificate has nothing to do with the TLS version. 证书和证书的验证与TLS版本无关。 You can use the same certificate with SSL 3.0 ... TLS 1.3. 您可以将同一证书用于SSL 3.0 ... TLS 1.3。 But just because your certificate can be used with all of these does not make your local TLS stack magically aware of how the TLS 1.2 protocol works. 但是,仅仅因为您的证书可以与所有这些证书一起使用,并不能使您的本地TLS堆栈神奇地了解TLS 1.2协议的工作方式。
If you want TLS 1.2 support on Windows XP look outside of the Windows TLS stack, ie look at OpenSSL, NSS and other libraries. 如果要Windows XP上的TLS 1.2支持,请查看Windows TLS堆栈之外的内容,即查看OpenSSL,NSS和其他库。 It looks like that there is a library offering support for recent OpenSSL in .NET, but I'm not sure if this will still work on XP. 看起来好像有一个库提供了对.NET中最新的OpenSSL的支持,但是我不确定这是否仍然可以在XP上运行。 See https://github.com/openssl-net/openssl-net . 参见https://github.com/openssl-net/openssl-net
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.