简体繁体 English

安全错误，在Azure（Asp.net核心）上发布带有客户端证书（自签名根）的邮件

[英]Security Error, post with Client Certificate (Self-signed Root) on Azure (Asp.net core)

原文 2017-05-08 09:25:19 9 1 c#/ api/ azure/ tls1.2/ client-certificates

I have uploaded a client certificate to Azure and are trying to make a post to a api method with this certificate. 我已将客户端证书上传到Azure，并尝试使用此证书在api方法中发布信息。 My code works when I am debugging on my local computer but it fails when I run it on Azure as a App Service. 当我在本地计算机上调试时，我的代码有效，但是当我在Azure上将其作为应用程序服务运行时，我的代码将失败。

System.Net.Http.HttpRequestException: An error occurred while sending the request. System.Net.Http.HttpRequestException：发送请求时发生错误。 ---> System.Net.Http.WinHttpException: A security error occurred at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable 1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.WinHttpHandler.<StartRequest>d__105.MoveNext() --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable 1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.HttpClient.d__58.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotificatio ---> System.Net.Http.WinHttpException：System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification（Task任务）的System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）发生安全错误1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.WinHttpHandler.<StartRequest>d__105.MoveNext() --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable 1.ConfiguredTaskAwaiter.GetResult（）在System.Net.Http.HttpClient.d__58.MoveNext（）---结束从先前抛出异常的位置开始的堆栈跟踪---在System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotificatio n(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Bandytabeller.Controllers.swishController.d__3.MoveNext() in D:\\ASP-hemsidor\\NetCoreApplications\\Bandytabeller\\Bandytabeller\\Api\\swishController.cs:line 102 n（任务任务）位于System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd（任务任务）位于Bandytabeller.Controllers.swishController.d__3.MoveNext（）在D：\\ ASP-hemsidor \\ NetCoreApplications \\ Bandytabeller \\ Bandytabeller \\ Api \\ swishController.cs ：第102行

[HttpGet("{id}")]
        public async Task pay(string id = "", string amount = "")
        {
            // Get the user agent
            string userAgent = Request.Headers["User-Agent"].ToString();

            // Create the payment request
            SwishPaymentRequest post = new SwishPaymentRequest();
            post.payeePaymentReference = id.ToString();
            post.callbackUrl = "https://www.quiz-walk.se/";
            post.payeeAlias = "1231181189";
            post.amount = amount;
            post.currency = "SEK";
            post.message = "Faktura " + id.ToString();

            // Create the http content
            HttpContent data = new StringContent(JsonConvert.SerializeObject(post), Encoding.UTF8, "application/json");

            // Create variables
            X509Store certStore = null;
            HttpClientHandler handler = null;
            HttpClient client = null;
            string token = "";

            try
            {
                // Create a request handler
                handler = new HttpClientHandler();
                handler.ClientCertificateOptions = ClientCertificateOption.Manual;
                handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
                handler.AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip;

                // Open certificate from certificate store
                certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
                certStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
                X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "800CDE7BC219D53812FC164DFF0FE73DF8A8D7B6", false);

                if (certCollection.Count > 0)
                {
                    handler.ClientCertificates.Add(certCollection[0]);
                }

                // Disable ssl validation
                handler.ServerCertificateCustomValidationCallback += (message, xcert, chain, errors) => true;

                //handler.ClientCertificates.Add(cert);

                // Create the http client
                client = new HttpClient(handler, false);

                // Post the payment request
                //Task task = Task.Run(() => client.PostAsync("https://mss.swicpc.bankgirot.se/swish-cpcapi/api/v1/paymentrequests/", data));

                HttpResponseMessage task = await client.PostAsync("https://mss.swicpc.bankgirot.se/swish-cpcapi/api/v1/paymentrequests/", data);
                // Wait for the task to finish
                //task.Wait();

                // Make sure that the response is successful
                if (task.StatusCode == System.Net.HttpStatusCode.Created)
                {
                    // Get all header values
                    IEnumerable headers = task.Headers.GetValues("PaymentRequestToken");

                    // Get the token
                    foreach (string value in headers)
                    {
                        token += value;
                    }
                }
            }
            catch (Exception ex)
            {
                token += ex.ToString();
                logger.LogWarning(ex.ToString());
            }
            finally
            {
                // Dispose of the handler and the client
                if(certStore != null)
                {
                    certStore.Dispose();
                }
                if (handler != null)
                {
                    handler.Dispose();
                }
                if (client != null)
                {
                    client.Dispose();
                }
            }

            // Create the url
            string url = "http://www.bokforingstips.se";
            if (userAgent.Contains("Windows Phone") == true)
            {
                url = "swish://paymentrequest?token=" + token;
            }
            else if (userAgent.Contains("iPhone") == true || userAgent.Contains("iPad") == true)
            {
                url = "swish://paymentrequest?token=" + token;
            }
            else if (userAgent.Contains("Android") == true)
            {
                url = "intent://paymentrequest?token=" + token + "/#Intent;scheme=swish;package=se.bankgirot.swish;end;";
            }
            else
            {
                return Content(handler.ClientCertificates[0].Issuer + " " + token);
            }

            // Redirect the user to url
            return Redirect(url);

        } // End of the pay method

I am testing the Swish API and I use ServerCertificateCustomValidationCallback to do my on validation. 我正在测试Swish API，并使用ServerCertificateCustomValidationCallback进行验证。 I works on my local computer but not on Azure. 我在本地计算机上工作，但不在Azure上工作。 The certificate is loaded, the error occurs on the PostAsync call. 证书已加载，错误发生在PostAsync调用上。

Asp.Net Core 1.1.1 Asp.Net Core 1.1.1

Tested with .Net Framework 4.6.2 on Azure. 在Azure上使用.Net Framework 4.6.2进行了测试。 It does not work, have enabled system.net tracing. 它不起作用，已启用system.net跟踪。

`System.Net Information: 0 : [12712] SecureChannel#3644764 - Certificate is of type X509Certificate2 and contains the private key.
    System.Net Information: 0 : [12712] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
    System.Net Information: 0 : [12712] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 6801dc65d0:db724b14d0, targetName = mss.swicpc.bankgirot.se, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [12712] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=1638, returned code=ContinueNeeded).
    System.Net.Sockets Verbose: 0 : [12712] Socket#66404974::BeginSend()
    System.Net.Sockets Verbose: 0 : [23872] Data from Socket#66404974::PostCompletion
    System.Net.Sockets Verbose: 0 : [23872] (printing 1024 out of 1638)
    System.Net.Sockets Verbose: 0 : [12712] Exiting Socket#66404974::BeginSend()    -> OverlappedAsyncResult#29753716
    System.Net.Sockets Verbose: 0 : [23872] 00000000 : 16 03 03 06 2E 0B 00 04-9C 00 04 99 00 04 96 30 : ...............0
    System.Net.Sockets Verbose: 0 : [23872] 00000010 : 82 04 92 30 82 02 7A A0-03 02 01 02 02 08 1B 46 : ...0..z........F
    System.Net.Sockets Verbose: 0 : [23872] 00000020 : F2 54 AE 99 F3 1C 30 0D-06 09 2A 86 48 86 F7 0D : .T....0...*.H...
    System.Net.Sockets Verbose: 0 : [23872] 00000030 : 01 01 0B 05 00 30 73 31-0B 30 09 06 03 55 04 06 : .....0s1.0...U..
    System.Net.Sockets Verbose: 0 : [23872] 00000040 : 13 02 53 45 31 1D 30 1B-06 03 55 04 0A 0C 14 54 : ..SE1.0...U....T
    System.Net.Sockets Verbose: 0 : [23872] 00000050 : 65 73 74 62 61 6E 6B 20-32 20 41 42 20 28 70 75 : estbank 2 AB (pu
    System.Net.Sockets Verbose: 0 : [23872] 00000060 : 62 6C 29 31 11 30 0F 06-03 55 04 05 13 08 54 45 : bl)1.0...U....TE
    System.Net.Sockets Verbose: 0 : [23872] 00000070 : 53 54 53 45 54 32 31 32-30 30 06 03 55 04 03 0C : STSET21200..U...
    System.Net.Sockets Verbose: 0 : [23872] 00000080 : 29 54 65 73 74 62 61 6E-6B 20 32 20 43 75 73 74 : )Testbank 2 Cust
    System.Net.Sockets Verbose: 0 : [23872] 00000090 : 6F 6D 65 72 20 43 41 31-20 76 31 20 66 6F 72 20 : omer CA1 v1 for 
    System.Net.Sockets Verbose: 0 : [23872] 000000A0 : 53 77 69 73 68 20 54 65-73 74 30 1E 17 0D 31 35 : Swish Test0...15
    System.Net.Sockets Verbose: 0 : [23872] 000000B0 : 31 30 32 36 32 33 30 30-30 30 5A 17 0D 31 37 31 : 1026230000Z..171
    System.Net.Sockets Verbose: 0 : [23872] 000000C0 : 30 32 36 32 31 35 39 35-39 5A 30 37 31 0B 30 09 : 026215959Z071.0.
    System.Net.Sockets Verbose: 0 : [23872] 000000D0 : 06 03 55 04 06 13 02 53-45 31 13 30 11 06 03 55 : ..U....SE1.0...U
    System.Net.Sockets Verbose: 0 : [23872] 000000E0 : 04 0A 0C 0A 35 35 36 39-31 33 37 33 38 32 31 13 : ....55691373821.
    System.Net.Sockets Verbose: 0 : [23872] 000000F0 : 30 11 06 03 55 04 03 0C-0A 31 32 33 31 31 38 31 : 0...U....1231181
    System.Net.Sockets Verbose: 0 : [23872] 00000100 : 31 38 39 30 82 01 22 30-0D 06 09 2A 86 48 86 F7 : 1890.."0...*.H..
    System.Net.Sockets Verbose: 0 : [23872] 00000110 : 0D 01 01 01 05 00 03 82-01 0F 00 30 82 01 0A 02 : ...........0....
    System.Net.Sockets Verbose: 0 : [23872] 00000120 : 82 01 01 00 BC CF F1 F1-62 AB 84 50 EC 91 13 A9 : ........b..P....
    System.Net.Sockets Verbose: 0 : [23872] 00000130 : 6B FE 20 78 32 01 54 E9-84 8F FD 4C 77 61 EB B5 : k. x2.T....Lwa..
    System.Net.Sockets Verbose: 0 : [23872] 00000140 : 1F 86 66 E8 C9 17 35 37-DB F3 7B 07 72 AA 80 D5 : ..f...57..{.r...
    System.Net.Sockets Verbose: 0 : [23872] 00000150 : 79 C5 AB AD C7 92 E0 55-4C 03 3C ED D7 49 4E D6 : y......UL.Mj.0{N.....
    System.Net.Sockets Verbose: 0 : [23872] 00000220 : 9E 39 36 3F 02 03 01 00-01 A3 66 30 64 30 12 06 : .96?......f0d0..
    System.Net.Sockets Verbose: 0 : [23872] 00000230 : 03 55 1D 20 04 0B 30 09-30 07 06 05 2A 03 04 05 : .U. ..0.0...*...
    System.Net.Sockets Verbose: 0 : [23872] 00000240 : 01 30 0E 06 03 55 1D 0F-01 01 FF 04 04 03 02 07 : .0...U..........
    System.Net.Sockets Verbose: 0 : [23872] 00000250 : 80 30 1D 06 03 55 1D 0E-04 16 04 14 60 78 11 F2 : .0...U......`x..
    System.Net.Sockets Verbose: 0 : [23872] 00000260 : 80 61 20 15 74 29 36 9E-F8 96 1E 7D 33 6C 7F F8 : .a .t)6....}3l..
    System.Net.Sockets Verbose: 0 : [23872] 00000270 : 30 1F 06 03 55 1D 23 04-18 30 16 80 14 26 CD F1 : 0...U.#..0...&..
    System.Net.Sockets Verbose: 0 : [23872] 00000280 : 34 AD 9D 0F 17 DC 90 6D-AE B2 BB DF BE A0 0C F5 : 4......m........
    System.Net.Sockets Verbose: 0 : [23872] 00000290 : 40 30 0D 06 09 2A 86 48-86 F7 0D 01 01 0B 05 00 : @0...*.H........
    System.Net.Sockets Verbose: 0 : [23872] 000002A0 : 03 82 02 01 00 16 18 A4-67 4E 78 3C B7 1F 91 F5 : ........gNx|....
    System.Net.Sockets Verbose: 0 : [23872] 000002D0 : F1 DD 3E DE 05 F1 7A FC-5A D1 E4 78 33 80 8C 84 : ..>...z.Z..x3...
    System.Net.Sockets Verbose: 0 : [23872] 000002E0 : EF 68 FD 90 13 E7 77 35-B9 8E B4 3C 0F 2C DE 55 : .h....w5...uM..V..F...
    System.Net.Sockets Verbose: 0 : [23872] 00000370 : DE DB 8D 63 2A 46 C2 3E-31 1E 01 DA B1 57 EE FD : ...c*F.>1....W..
    System.Net.Sockets Verbose: 0 : [23872] 00000380 : A6 0C A1 09 8F 03 41 2D-4D 77 19 A9 61 22 50 01 : ......A-Mw..a"P.
    System.Net.Sockets Verbose: 0 : [23872] 00000390 : F9 72 46 A7 42 20 03 16-91 F4 37 00 78 73 5D 8E : .rF.B ....7.xs].
    System.Net.Sockets Verbose: 0 : [23872] 000003A0 : 05 21 01 FB C7 5D D4 AD-39 41 F4 3C 07 BC 9C 03 : .!...]..9A. Int32#1638
    System.Net.Sockets Verbose: 0 : [23872] Socket#66404974::BeginReceive()
    System.Net.Sockets Verbose: 0 : [12712] Data from Socket#66404974::PostCompletion
    System.Net.Sockets Verbose: 0 : [12712] 00000000 : 15 03 03 00 02                                  : .....
    System.Net.Sockets Verbose: 0 : [12712] Socket#66404974::EndReceive(OverlappedAsyncResult#64760428)
    System.Net.Sockets Verbose: 0 : [12712] Exiting Socket#66404974::EndReceive()   -> Int32#5
    System.Net.Sockets Verbose: 0 : [23872] Exiting Socket#66404974::BeginReceive()     -> OverlappedAsyncResult#64760428
    System.Net.Sockets Verbose: 0 : [23872] Socket#66404974::BeginReceive()
    System.Net.Sockets Verbose: 0 : [12712] Data from Socket#66404974::PostCompletion
    System.Net.Sockets Verbose: 0 : [12712] 00000000 : 02 28                                           : .(
    System.Net.Sockets Verbose: 0 : [12712] Socket#66404974::EndReceive(OverlappedAsyncResult#27335310)
    System.Net.Sockets Verbose: 0 : [12712] Exiting Socket#66404974::EndReceive()   -> Int32#2
    System.Net.Sockets Verbose: 0 : [23872] Exiting Socket#66404974::BeginReceive()     -> OverlappedAsyncResult#27335310
    System.Net Information: 0 : [23872] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 6801dc65d0:db724b14d0, targetName = mss.swicpc.bankgirot.se, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [23872] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
    System.Net.Sockets Verbose: 0 : [23872] Socket#66404974::Dispose()
    System.Net Error: 0 : [23872] Exception in HttpWebRequest#15120020:: - The request was aborted: Could not create SSL/TLS secure channel..
    System.Net Verbose: 0 : [23872] HttpWebRequest#15120020::EndGetRequestStream()
    System.Net Error: 0 : [23872] Exception in HttpWebRequest#15120020::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..`

1 个解决方案

The ServerCertificateCustomValidationCallback is never called and I guess that Azure don´t allow this callback. 从不调用ServerCertificateCustomValidationCallback，我猜Azure不允许此回调。 The root certificate must be trusted. 根证书必须是受信任的。