使用X.509对Web服务进行身份验证时出现“无法创建SSL / TLS安全通道”错误
[英]“Could not create SSL/TLS secure channel” error when authenticating to a web service using X.509
问题描述
I've seen several threads with the same error and tried various potential solutions, but so far no luck. 
我见过多个线程具有相同的错误,并尝试了各种可能的解决方案,但到目前为止还没有运气。 I am working with a client's REST endpoint, which requires a client certificate to authenticate. 我正在使用客户端的REST端点,该端点需要客户端证书进行身份验证。 I have the certificate and have installed it for the current user and the local machine by double-clicking the .pfx and completing the wizard. 我拥有证书,并通过双击.pfx并完成向导为当前用户和本地计算机安装了该证书。 I also ran the following using winhttpcertcfg so that the app pool identity account ( Network Service ) can use the certificate: 我还使用winhttpcertcfg运行了以下winhttpcertcfg以便应用程序池标识帐户( Network Service )可以使用证书:
winhttpcertcfg -i "<path to .pfx> -c LOCAL_MACHINE\My -a "Network Service" -p "<password for .pfx>
I've added the certificates snap-in to MMC and added my certificate, so when I hit the API endpoint URL in Chrome, the certificate shows up and I click it, and I see the XML returned. 我已将证书管理单元添加到MMC并添加了我的证书,因此当我在Chrome中点击API端点URL时,将显示证书并单击它,然后看到返回的XML。
Unfortunately, the code I am using is encountering an error when trying to get a response. 不幸的是,我正在使用的代码在尝试获取响应时遇到错误。 My code (which is within an MVC action): 我的代码(在MVC动作中):
var url = "https://obfuscated.api.endpoint.host/api/Profile";
var certPath = @"C:\Users\paldrich\AdvisorDirectoryClient.pfx";
var xmlResult = string.Empty;
try
{
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12;
HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest;
request.ContentType = "application/xml;charset=UTF8";
X509Certificate cert = new X509Certificate(certPath, "obfuscated-password");
request.ClientCertificates.Add(cert);
request.PreAuthenticate = true;
var response = request.GetResponse();
var responseStream = response.GetResponseStream();
xmlResult = new StreamReader(responseStream).ReadToEnd();
}
catch (Exception ex)
{
Log.Error("Bio App web service call failed.", ex, "AdvisorController");
xmlResult = ex.Message;
}
return Json(xmlResult, JsonRequestBehavior.AllowGet);
When it tries to get the response ( response.GetResponse() ), I see the following error: The request was aborted: Could not create SSL/TLS secure channel. 当它尝试获取响应( response.GetResponse() )时,我看到以下错误: The request was aborted: Could not create SSL/TLS secure channel.
Things I've Tried: 我尝试过的事情:
- Granting full access for
Network Serviceto my certificate underC:\\Users\\paldrich.C:\\Users\\paldrichNetwork Service完全访问权限授予C:\\Users\\paldrich下的我的证书。 - Making the
ServicePointManager.SecurityProtocoljustSecurityProtocolType.Tls12and also justSecurityProtocolType.Ssl3.使ServicePointManager.SecurityProtocol只是SecurityProtocolType.Tls12,也就是SecurityProtocolType.Ssl3。 - Checking "Mark this key as exportable" in the certificate import wizard for both Current User and Local Machine. 在当前用户和本地计算机的证书导入向导中,选中“将此密钥标记为可导出”。
- Verified that I have
Use Tls 1.0,Use Tls 1.1andUse Tls 1.2all checked in Internet Properties.验证“ Internet属性”中是否已全部选中“ Use Tls 1.0,“Use Tls 1.1和“Use Tls 1.2。
1 个解决方案
解决方案1
1 已采纳 2018-02-22 20:41:48
I realized what my problem was after submitting this. 提交此文件后,我意识到我的问题所在。 I needed to use X509Certificate2 instead of X509Certificate (I figured this out by just trying 2), although I don't understand why, outside of the fact that X509Certificate2 is newer. 我需要使用X509Certificate2而不是X509Certificate (我只是尝试2来解决这个问题),尽管我不明白为什么,但实际上X509Certificate2是更新的。 Regardless, the XML is coming up; 无论如何,XML即将问世。 it is showing up as a Unicode converted string, but overall the goal has been accomplished. 它显示为Unicode转换的字符串,但总体目标已经实现。
So, instead of: 因此,代替:
X509Certificate cert = new X509Certificate(certPath, "obfuscated-password");
I had to use: 我不得不使用:
X509Certificate2 cert = new X509Certificate2(certPath, "obfuscated-password");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.