C＃：强制使用TLS1.2，但Https服务器仍给出常见算法错误

Question

Im trying to setup a simple HTTPS web server using TcpClient, SslStream, and a self signed certificate. 我试图使用TcpClient，SslStream和自签名证书设置简单的HTTPS Web服务器。

The code starts fine, displays waiting for client, but when I connect to it via a web browser I get 代码开始正常，显示等待客户端，但是当我通过Web浏览器连接到它时，

"A call to SSPI failed, The client and server cannot communicate, because they do not possess a common algorithm" “对SSPI的调用失败，客户端和服务器无法通信，因为它们不具有通用算法”

From what I have read, this typically means that the server is trying to use a protocol type that the client doesnt have or cannot use (IE: outdated), and many say to make sure that both the server and client are using TLS 1.2. 根据我的阅读，这通常意味着服务器正在尝试使用客户端不具备或不能使用的协议类型（即：过时），并且许多人表示要确保服务器和客户端都使用TLS 1.2。

-I have made sure to include "ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12" to force tls1.2, and am using Firefox(and others) which I have verified are up to date and work with tls12. -我确保包括"ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12"以强制tls1.2，并且正在使用经过验证的Firefox（及其他）是最新的并且可以与tls12一起使用。

-Im on .net 4.7, so that shouldnt be an issue I dont think. -我在.net 4.7上，所以我不认为这不是问题。

-I have manually imported the certificate into firefox. -我已将证书手动导入到firefox中。

-I have tried allowing all protocols, and no protocols, and "default" -我尝试了允许所有协议，没有协议，以及“默认”

-I have gone into the registry and enabled all TLS, and disabled all but tls1.2, both with same result. -我进入注册表并启用了所有TLS，并禁用了除tls1.2之外的所有TLS，两者的结果相同。

Im sure this has been answered before, but I have been scouring SO and google for a couple days now, so I give up, roast away! 我肯定之前已经回答了这个问题，但是现在我一直在搜索SO和Google几天了，所以我放弃了，烤了！

static X509Certificate serverCertificate = null; 静态X509Certificate serverCertificate = null;

public static int Main(string[] args)
{
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;  //Force tls 1.2
    MakeCert();                                                         //Create self signed certificate and assign to serverCertificate
    SslTcpServer.RunServer();
    return 0;
}

static void MakeCert()
{
    var ecdsa = ECDsa.Create(); // generate asymmetric key pair
    var req = new CertificateRequest("cn=localhost", ecdsa, HashAlgorithmName.SHA256);
    var cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(5));

    // Create PFX (PKCS #12) with private key
    string pfxPath = Path.Combine(Environment.CurrentDirectory, "mycert.pfx");
    File.WriteAllBytes(pfxPath, cert.Export(X509ContentType.Pfx, "Password"));
    // Create Base 64 encoded CER (public key only)
    string cerPath = Path.Combine(Environment.CurrentDirectory, "mycert.cer");
    File.WriteAllText(cerPath,
        "-----BEGIN CERTIFICATE-----\r\n"
        + Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks)
        + "\r\n-----END CERTIFICATE-----");

    string keyfilename = "mycert.pfx";
    string certpath = Path.Combine(Environment.CurrentDirectory, keyfilename);
    X509Certificate certificate = new X509Certificate2(certpath, "Password");
    serverCertificate = certificate;
}

public static void RunServer()
{
    TcpListener listener = new TcpListener(IPAddress.Any, 8080);
    listener.Start();
    while (true)
    {
        Console.WriteLine("Waiting for a client to connect...");
        TcpClient client = listener.AcceptTcpClient();
        ProcessClient(client);
    }
}

static void ProcessClient(TcpClient client)
{
    SslStream sslStream = new SslStream(client.GetStream(), false);
    try
    {
        sslStream.AuthenticateAsServer(serverCertificate, clientCertificateRequired: false, enabledSslProtocols : SslProtocols.Tls12, checkCertificateRevocation: false);
        Console.WriteLine("Authenticated");
    }
    catch (AuthenticationException e)
    {
        Console.WriteLine("Exception: {0}", e.Message);
        if (e.InnerException != null)
        {
            Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
        }
        Console.WriteLine("Authentication failed - closing the connection.");
        sslStream.Close();
        client.Close();
        return;
    }
    finally
    {
        sslStream.Close();
        client.Close();
    }
}

Code never reaches "Authenticated", always throws exception 代码永远不会到达“已认证”，总是会引发异常

"A call to SSPI failed, see inner exception" “对SSPI的调用失败，请参阅内部异常”

with inner exception 有内部例外

"The client and server cannot communicate, because they do not possess a common algorithm" “客户端和服务器无法通信，因为它们不具有通用算法”

Answer 1

This issue is not about SSL/TLS protocols. 此问题与SSL / TLS协议无关。 It's about the signature algorithm ECDsa. 关于签名算法ECDsa。 It looks as if nistP521 (the default curve used by ECDsa.Create ) is not supported by Firefox (I didn't check any documentation) as it works perfectly with nistP256 or nistP384 这看起来好像nistP521 （由所使用的默认曲线ECDsa.Create ）不Firefox支持（我没有检查任何文件），因为它与nistP256或nistP384完美的作品

  var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384); // generate asymmetric key pair
  var req = new CertificateRequest("cn=localhost",ecdsa, HashAlgorithmName.SHA256);

C＃：强制使用TLS1.2，但Https服务器仍给出常见算法错误

问题描述

1 个解决方案

解决方案1
0 已采纳 2019-01-21 15:02:30

C＃：强制使用TLS1.2，但Https服务器仍给出常见算法错误

问题描述

1 个解决方案

解决方案1 0 已采纳 2019-01-21 15:02:30

解决方案1
0 已采纳 2019-01-21 15:02:30