![](/img/trans.png)
[英]C# Could not create ssl/tls secure channel on Windows 7/Windows Server, using TLS1.2
[英]C#: Forcing TLS1.2 but Https server still giving common algorithm error
我试图使用TcpClient,SslStream和自签名证书设置简单的HTTPS Web服务器。
代码开始正常,显示等待客户端,但是当我通过Web浏览器连接到它时,
“对SSPI的调用失败,客户端和服务器无法通信,因为它们不具有通用算法”
根据我的阅读,这通常意味着服务器正在尝试使用客户端不具备或不能使用的协议类型(即:过时),并且许多人表示要确保服务器和客户端都使用TLS 1.2。
-我确保包括"ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12"
以强制tls1.2,并且正在使用经过验证的Firefox(及其他)是最新的并且可以与tls12一起使用。
-我在.net 4.7上,所以我不认为这不是问题。
-我已将证书手动导入到firefox中。
-我尝试了允许所有协议,没有协议,以及“默认”
-我进入注册表并启用了所有TLS,并禁用了除tls1.2之外的所有TLS,两者的结果相同。
我肯定之前已经回答了这个问题,但是现在我一直在搜索SO和Google几天了,所以我放弃了,烤了!
静态X509Certificate serverCertificate = null;
public static int Main(string[] args)
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; //Force tls 1.2
MakeCert(); //Create self signed certificate and assign to serverCertificate
SslTcpServer.RunServer();
return 0;
}
static void MakeCert()
{
var ecdsa = ECDsa.Create(); // generate asymmetric key pair
var req = new CertificateRequest("cn=localhost", ecdsa, HashAlgorithmName.SHA256);
var cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(5));
// Create PFX (PKCS #12) with private key
string pfxPath = Path.Combine(Environment.CurrentDirectory, "mycert.pfx");
File.WriteAllBytes(pfxPath, cert.Export(X509ContentType.Pfx, "Password"));
// Create Base 64 encoded CER (public key only)
string cerPath = Path.Combine(Environment.CurrentDirectory, "mycert.cer");
File.WriteAllText(cerPath,
"-----BEGIN CERTIFICATE-----\r\n"
+ Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks)
+ "\r\n-----END CERTIFICATE-----");
string keyfilename = "mycert.pfx";
string certpath = Path.Combine(Environment.CurrentDirectory, keyfilename);
X509Certificate certificate = new X509Certificate2(certpath, "Password");
serverCertificate = certificate;
}
public static void RunServer()
{
TcpListener listener = new TcpListener(IPAddress.Any, 8080);
listener.Start();
while (true)
{
Console.WriteLine("Waiting for a client to connect...");
TcpClient client = listener.AcceptTcpClient();
ProcessClient(client);
}
}
static void ProcessClient(TcpClient client)
{
SslStream sslStream = new SslStream(client.GetStream(), false);
try
{
sslStream.AuthenticateAsServer(serverCertificate, clientCertificateRequired: false, enabledSslProtocols : SslProtocols.Tls12, checkCertificateRevocation: false);
Console.WriteLine("Authenticated");
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
sslStream.Close();
client.Close();
return;
}
finally
{
sslStream.Close();
client.Close();
}
}
代码永远不会到达“已认证”,总是会引发异常
“对SSPI的调用失败,请参阅内部异常”
有内部例外
“客户端和服务器无法通信,因为它们不具有通用算法”
此问题与SSL / TLS协议无关。 关于签名算法ECDsa。 这看起来好像nistP521
(由所使用的默认曲线ECDsa.Create
)不Firefox支持(我没有检查任何文件),因为它与nistP256或nistP384完美的作品
var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384); // generate asymmetric key pair
var req = new CertificateRequest("cn=localhost",ecdsa, HashAlgorithmName.SHA256);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.