httpClient.GetAsync抛出异常; 怀疑证书配置

Question

TL; DR版（有点）

我有两个尝试通信的服务器（ X和Y ），但是没有通过TLS1.2（TLS1.1和TLS1.0都正常运行）。

我有一台服务器X无法从localhost获得响应。

抛出异常的调用是这行代码

HttpResponseMessage response = await httpClient.GetAsync(address, cancel);

地址为https://localhost/XXXXX/Identity/.well-known/jwks ，取消为IsCancellationRequested = false

我注意到为https://localhost/XXXXX/Identity/.well-known/jwks提供的服务器证书是有效的，用RSA256签名，不在撤销列表等等，一切看起来不错， 但是subject是* .testing.corp ，它与我尝试导航到的URL不匹配。 当从服务器X上的Chrome导航到https://localhost/XXXXX/Identity/.well-known/jwks时，这会导致出现证书警告，但在手动点击后我会得到我期望的结果。

所以我的想法是，如果我可以覆盖HttpClient.GetAsync的证书验证，我应该能够做到这一点，所以我在我的客户端添加以下代码：

var handler = new WebRequestHandler();
httpClient = new HttpClient(handler);
handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(dumbvalidationdeletemeishouldnotbeversioned);

public static bool dumbvalidationdeletemeishouldnotbeversioned(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors err)
{
    return true;
}

有趣的是，这一点永远不会发生，当我GetAsync代码GetAsync ，一个步骤抛出异常而不会遇到虚拟验证。

到底是怎么回事？ 为什么这种方法会失败？

---

更多背景：

编辑：相关， X正在利用Identity Server尝试进行身份验证。 尝试访问https://localhost/XXXXX/Identity/.well-known/jwks时出现故障https://localhost/XXXXX/Identity/.well-known/jwks

我正在使用IISCrypto配置这些计算机上的协议。 （在评论中考虑@ Oleg的建议并没有改变这种行为）。 我通过单击“最佳实践”按钮然后取消选中TLS1.0和TLS1.1来配置它们，以便两个服务器看起来像这样：

编辑：添加一些堆栈跟踪信息

在我添加虚拟处理程序之前，这是抛出异常的堆栈跟踪：

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at XXXXXXXX.Authentication.Extensions.XXXXXXOpenIDConnectAuthentication.<ReadJWTKeys>d__8.MoveNext() 
   --- End of stack trace from previous location where exception was thrown ---         
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)         
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)         
   at XXXXXXX.Authentication.Extensions.XXXXXXOpenIDConnectAuthentication.<MessageRecieved>d__6.MoveNext()  
   --- End of stack trace from previous location where exception was thrown ---    
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)     
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)     
   at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__1a.MoveNext()

添加虚拟处理程序后， 异常完全为空 < - 请参阅注释。 异常是完全相同的，但是当我调试进程时，我的虚拟处理程序中的return语句永远不会被命中，因此我的问题的关键点变为“还有什么可以检查？”

Answer 1

应该补充一点

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

（来自System.Net命名空间）调用之前

await httpClient.GetAsync(address, cancel);

强制使用正确的协议。 请参阅博客，其中包含HttpClient和ServicePointManager.SecurityProtocol详细实验。