堆栈内存溢出
  简体   繁体   English

HttpWebRequest::GetResponse - 请求被中止:无法创建 SSL/TLS 安全通道

[英]HttpWebRequest::GetResponse - The request was aborted: Could not create SSL/TLS secure channel

 原文  2020-06-04 19:10:15       c#/ ssl/ webclient/ webrequest

问题描述

Please read the full text below.请阅读以下全文。 I tried all usual solutions to this problem.我尝试了所有通常的解决方案来解决这个问题。

So, my.Net 4.5 app running successfully has been fetching data from a url for a good amount of time.因此,成功运行的 my.Net 4.5 应用程序已经在很长一段时间内从 url 获取数据。 But it suddenly started failing with the above cited error:但它突然开始因上述错误而失败:

HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.. HttpWebRequest#687191::GetResponse - 请求被中止:无法创建 SSL/TLS 安全通道..

Here's the sample C# code with which I was able to reproduce the error:这是我能够重现错误的示例 C# 代码:

    ServicePointManager.Expect100Continue = true;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
    ServicePointManager.DefaultConnectionLimit = 9999;

    ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
    {
        return (true);
    };

    var authHeaderValue = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(string.Format("{0}:{1}", "username", "password")));

    var request = (HttpWebRequest) HttpWebRequest.Create("url-here");
    request.Method = "GET";
    request.Headers.Add("Authorization: Basic " + authHeaderValue);

    using (HttpWebResponse response = (HttpWebResponse) request.GetResponse())
    {
        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        var s = reader.ReadToEnd();
        reader.Close();
        dataStream.Close();

        Console.WriteLine(s);
    }

As you can see, all usual solutions of setting values on ServicePointManager / ignoring certificate errors have been tried above.如您所见,上面已经尝试了所有在 ServicePointManager 上设置值/忽略证书错误的常用解决方案。 I still get the error and the ServerCertificateValidationCallback is not even hit.我仍然收到错误,甚至没有命中 ServerCertificateValidationCallback。

I used Fiddler with HTTPS decryption on and Fiddler gave me this error instead:我将 Fiddler 与 HTTPS 解密一起使用,而 Fiddler 却给了我这个错误:

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. System.Security.Authentication.AuthenticationException:对 SSPI 的调用失败,请参阅内部异常。 ----> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted ----> System.ComponentModel.Win32Exception:收到的消息是意外的或格式错误

I went to Tracing ( https://stackoverflow.com/a/12327881/12484 ) and here is the trace file output:我去了跟踪( https://stackoverflow.com/a/12327881/12484 ),这里是跟踪文件 output:

System.Net Information: 0 : [13160] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [13160] WebRequest::Create(url-here)
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::HttpWebRequest(url-here)
System.Net Information: 0 : [13160] RAS supported: True
System.Net Verbose: 0 : [13160] Exiting HttpWebRequest#687191::HttpWebRequest() 
System.Net Verbose: 0 : [13160] Exiting WebRequest::Create()    -> HttpWebRequest#687191
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::GetResponse()
System.Net Verbose: 0 : [13160] ServicePoint#49385318::ServicePoint(domain-here:443)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ServicePoint#49385318
System.Net Information: 0 : [13160] Associating Connection#7746814 with HttpWebRequest#687191
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Socket(AddressFamily#2)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Socket() 
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Socket(AddressFamily#23)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Socket() 
System.Net.Sockets Verbose: 0 : [13160] DNS::TryInternalResolve(domain-here)
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Connect(server-ip-here:443#1466373584)
System.Net.Sockets Information: 0 : [13160] Socket#13062350 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Connect() 
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Close()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Dispose()
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Close() 
System.Net Information: 0 : [13160] Connection#7746814 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net Information: 0 : [13160] TlsStream#10366524::.ctor(host=domain-here, #certs=0)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ConnectStream#63840421
System.Net Information: 0 : [13160] HttpWebRequest#687191 - Request: GET relative-url-here HTTP/1.1

System.Net Information: 0 : [13160] ConnectStream#63840421 - Sending headers
{
Authorization: Basic credentials-here
Host: domain-here
Connection: Keep-Alive
}.
System.Net Information: 0 : [13160] SecureChannel#54246671::.ctor(hostname=domain-here, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [13160] Enumerating security packages:
System.Net Information: 0 : [13160]     Negotiate
System.Net Information: 0 : [13160]     NegoExtender
System.Net Information: 0 : [13160]     Kerberos
System.Net Information: 0 : [13160]     NTLM
System.Net Information: 0 : [13160]     Schannel
System.Net Information: 0 : [13160]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [13160]     WDigest
System.Net Information: 0 : [13160]     TSSSP
System.Net Information: 0 : [13160]     pku2u
System.Net Information: 0 : [13160]     CREDSSP
System.Net Information: 0 : [13160] SecureChannel#54246671 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [13160] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=184, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Send()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Send
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 16 03 03 00 B3 01 00 00-AF 03 03 5E D9 42 A7 54 : ...........^.B.T
System.Net.Sockets Verbose: 0 : [13160] 00000010 : CD 34 00 7C 31 C9 2F 75-E7 DE A6 9E E8 D7 B5 74 : .4.|1./u.......t
System.Net.Sockets Verbose: 0 : [13160] 00000020 : 3C CB 7E B3 84 D8 1A 22-69 79 B3 00 00 38 C0 28 : <.~...."iy...8.(
System.Net.Sockets Verbose: 0 : [13160] 00000030 : C0 27 C0 14 C0 13 00 9F-00 9E 00 39 00 33 00 9D : .'.........9.3..
System.Net.Sockets Verbose: 0 : [13160] 00000040 : 00 9C 00 3D 00 3C 00 35-00 2F C0 2C C0 2B C0 24 : ...=.<.5./.,.+.$
System.Net.Sockets Verbose: 0 : [13160] 00000050 : C0 23 C0 0A C0 09 00 6A-00 40 00 38 00 32 00 0A : .#.....j.@.8.2..
System.Net.Sockets Verbose: 0 : [13160] 00000060 : 00 13 00 05 00 04 01 00-00 4E 00 00 00 19 00 17 : .........N......
System.Net.Sockets Verbose: 0 : [13160] 00000070 : 00 00 14 61 6D 61 74 72-61 76 65 6C 2E 74 73 74 : ...domain-here
System.Net.Sockets Verbose: 0 : [13160] 00000080 : 6C 6C 63 2E 6E 65 74 00-0A 00 06 00 04 00 17 00 : domain-here.........
System.Net.Sockets Verbose: 0 : [13160] 00000090 : 18 00 0B 00 02 01 00 00-0D 00 14 00 12 06 01 06 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000A0 : 03 04 01 05 01 02 01 04-03 05 03 02 03 02 02 00 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000B0 : 17 00 00 FF 01 00 01 00-                        : ........
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Send()     -> Int32#184
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 15 03 03 00 02                                  : .....
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000005 : 02 28                                           : .(
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#2
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 51ccc0:5827200, targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Dispose()
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

I replaced my server and client sensitive information in the trace above (anything ending with -here) but the other trace information is intact.我在上面的跟踪中替换了我的服务器和客户端敏感信息(以 -here 结尾的任何内容),但其他跟踪信息完好无损。

I still can't figure out what is wrong in the Trace and why this one url (with HTTPS) won't open with my.Net code.我仍然无法弄清楚跟踪中有什么问题以及为什么这个 url(使用 HTTPS)无法使用 my.Net 代码打开。

Can someone please help me troubleshooting this?有人可以帮我解决这个问题吗?

1 个解决方案

解决方案1
 1 已采纳  2020-06-04 19:36:19

The debug information contain the ClientHello send by the client in the TLS handshake.调试信息包含客户端在 TLS 握手中发送的 ClientHello。 Based on this the server is amatravel.tstllc.net which according to SSLLabs supports the following very few ciphers:基于此,服务器是amatravel.tstllc.net根据SSLLabs,它支持以下很少的密码:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)         ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)         ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 256

All these ciphers start with TLS_ECDHE_RSA_ , ie the RSA certificate with ECDHE key exchange.所有这些密码都以TLS_ECDHE_RSA_开头,即带有 ECDHE 密钥交换的 RSA 证书。 But decoding your ClientHello shows that the client only announces support for the following ciphers:但是解码您的 ClientHello 表明客户端仅宣布支持以下密码:

        Cipher Suites (28 suites)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

A quick view will see that none of the 4 ciphers starting with TLS_ECDHE_RSA_ matches a cipher supported by the server.快速查看将看到以TLS_ECDHE_RSA_开头的 4 个密码中没有一个与服务器支持的密码匹配。 Therefore the handshake will fail because of no shared ciphers.因此,由于没有共享密码,握手将失败。

But it suddenly started failing...但它突然开始失败......

Assuming that no changes were done to your application it is likely that changes were done to the server.假设没有对您的应用程序进行任何更改,很可能对服务器进行了更改。 The cipher set supported by the server is very small so maybe someone tried to harden the server while not being aware that some clients don't support any of these few ciphers.服务器支持的密码集非常小,因此可能有人试图强化服务器,而没有意识到某些客户端不支持这几个密码中的任何一个。

But the cipher set supported by your client is also strange.但是您的客户端支持的密码集也很奇怪。 While you support TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 you don't support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 , ie same cipher but used with RSA certificates instead of ECC certificates.虽然您支持TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ,但您不支持TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,即相同的密码,但与 RSA 证书而不是 ECC 证书一起使用。 And the latter cipher would have been actually supported by the server.后一种密码实际上会得到服务器的支持。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 该请求已中止:无法为HttpWebRequest创建SSL / TLS安全通道 - The request was aborted: Could not create SSL/TLS secure channel for HttpWebRequest HttpWebRequest:请求已中止:无法创建SSL / TLS安全通道 - HttpWebRequest: The request was aborted: Could not create SSL/TLS secure channel 请求被中止无法创建 SSL/TLS 安全通道 - HttpWebRequest - The request was aborted could not create SSL/TLS secure channel - HttpWebRequest System.Net.HttpWebRequest.GetResponse()中的错误“ResponceSystem.Net.WebException:请求已中止:无法创建SSL / TLS安全通道” - Error in System.Net.HttpWebRequest.GetResponse() “ResponceSystem.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel” 来自WCF服务的HttpWebRequest失败并--请求被中止:无法创建SSL / TLS安全通道 - HttpWebRequest from WCF Service fails with - The request was aborted: Could not create SSL/TLS secure channel 即使在指定ServicePointManager.SecurityProtocol之后,HttpWebRequest中的“请求已中止:无法创建SSL / TLS安全通道” - “The request was aborted: Could not create SSL/TLS secure channel” in HttpWebRequest, even after specifying ServicePointManager.SecurityProtocol HttpWebrequest 因 yande.re(以及 IE 和 curl)而失败[“请求已中止:无法创建 SSL/TLS 安全通道。”] - HttpWebrequest fails with yande.re (and IE and curl)["The request was aborted: Could not create SSL/TLS secure channel."] 该请求已中止:无法创建SSL / TLS安全通道。 用于HttpWebRequest和WebClient - The request was aborted: Could not create SSL/TLS secure channel. for HttpWebRequest and WebClient 服务器错误:请求已中止:无法创建SSL / TLS安全通道 - Server Error: The request was aborted: Could not create SSL/TLS secure channel RestSharp 请求中止 - 无法创建 SSL/TLS 安全通道 - RestSharp request aborted - could not create SSL/TLS secure channel
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM