stackoom
  简体   繁体   中英

Disable TLS Handshake Client Certificate Request in Service Fabric Application

 原文  2019-05-21 00:44:19       c#/ .net/ ssl/ azure-service-fabric

Question

I'm creating a web service in Azure Service Fabric and running on Docker containers on .net Core 2.0. The service is meant to be called by clients that aren't able to provide a client certificate for a mutual TLS authentication handshake, however, my service is prompting for this certificate, which is causing the clients to reset the connection and not get the response from the service.

In my setup code, I'm running this netsh command to bind the SSL cert to port 443:

netsh.exe http add sslcert ipport=0.0.0.0:443 certhash=E362F4AB1FC4227F3010952876B505D510B0F6AA appid={8e6ea06d-b92f-4d99-911a-3c68de243eb4} verifyclientcertrevocation=enable clientcertnegotiation=disable'

That completes successfully and the binding is established, but when clients call the service (or when I try to call from a browser or Fiddler/Postman) I get a request for the client certificate still. From looking at documentation, the "clientcertnegotiation" parameter is the relevant piece here, and as I understand it should be disabled to remove the client certificate prompt.

Clients are able to successfully call the service without a connection reset when they call with a redirect through Fiddler.

I'm not sure if there's something incorrectly configured on the SF cluster side, so I looked into the configuration there as well. I found a security property called "ProtectionLevel" that was set to "EncryptAndSign". Searching for some information on this, I found this page on Microsoft's docs: Understanding Protection Level .

I'm not sure I'm parsing the information on that page correctly, but I thought it might be related, so I did a test in a development environment to see whether I would get the prompt if I set "ProtectionLevel" to "None", but I was still prompted for the certificate.

I also am using CORS, though I doubt that has anything to do with the mutual TLS configuration, and I got the same behavior whether CORS was enabled or not.

Are there any other Service Fabric or application-level settings that would be overriding my SSL binding configuration? Is Service Fabric routing through another service that would be requesting the client certificate?

1 answers

solution1
 0  2019-05-21 00:53:21

我建议“verifyclientcertrevocation= enable ”可能导致它要求证书,而不管“clientcertnegotiation= disable

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question TLS handshake error from … tls: client didn't provide a certificate Calling WCF over HTTPS in Service Fabric : The request was aborted: Could not create SSL/TLS secure channel c# TLS client without client certificate PFX Certificate Imported for TLS/SSL Encryption of MQTTnet Client Messages Works with Service but Fails with Xamarin UWP App Web service call using client certificate in SSIS script task resulting in SSL/TLS issue Service Fabric Application deployment Application Insights in Service Fabric? WinRT UWP Attach client Certificate to a Web Service request .NET Core: How to disable TLS/SSL for gRpc communication between service and client? Does FtpWebRequest TLS connection need a client certificate?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM