![](/img/trans.png)
[英]C# Could not create ssl/tls secure channel on Windows 7/Windows Server, using TLS1.2
[英]C#: Forcing TLS1.2 but Https server still giving common algorithm error
我試圖使用TcpClient,SslStream和自簽名證書設置簡單的HTTPS Web服務器。
代碼開始正常,顯示等待客戶端,但是當我通過Web瀏覽器連接到它時,
“對SSPI的調用失敗,客戶端和服務器無法通信,因為它們不具有通用算法”
根據我的閱讀,這通常意味着服務器正在嘗試使用客戶端不具備或不能使用的協議類型(即:過時),並且許多人表示要確保服務器和客戶端都使用TLS 1.2。
-我確保包括"ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12"
以強制tls1.2,並且正在使用經過驗證的Firefox(及其他)是最新的並且可以與tls12一起使用。
-我在.net 4.7上,所以我不認為這不是問題。
-我已將證書手動導入到firefox中。
-我嘗試了允許所有協議,沒有協議,以及“默認”
-我進入注冊表並啟用了所有TLS,並禁用了除tls1.2之外的所有TLS,兩者的結果相同。
我肯定之前已經回答了這個問題,但是現在我一直在搜索SO和Google幾天了,所以我放棄了,烤了!
靜態X509Certificate serverCertificate = null;
public static int Main(string[] args)
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; //Force tls 1.2
MakeCert(); //Create self signed certificate and assign to serverCertificate
SslTcpServer.RunServer();
return 0;
}
static void MakeCert()
{
var ecdsa = ECDsa.Create(); // generate asymmetric key pair
var req = new CertificateRequest("cn=localhost", ecdsa, HashAlgorithmName.SHA256);
var cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(5));
// Create PFX (PKCS #12) with private key
string pfxPath = Path.Combine(Environment.CurrentDirectory, "mycert.pfx");
File.WriteAllBytes(pfxPath, cert.Export(X509ContentType.Pfx, "Password"));
// Create Base 64 encoded CER (public key only)
string cerPath = Path.Combine(Environment.CurrentDirectory, "mycert.cer");
File.WriteAllText(cerPath,
"-----BEGIN CERTIFICATE-----\r\n"
+ Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks)
+ "\r\n-----END CERTIFICATE-----");
string keyfilename = "mycert.pfx";
string certpath = Path.Combine(Environment.CurrentDirectory, keyfilename);
X509Certificate certificate = new X509Certificate2(certpath, "Password");
serverCertificate = certificate;
}
public static void RunServer()
{
TcpListener listener = new TcpListener(IPAddress.Any, 8080);
listener.Start();
while (true)
{
Console.WriteLine("Waiting for a client to connect...");
TcpClient client = listener.AcceptTcpClient();
ProcessClient(client);
}
}
static void ProcessClient(TcpClient client)
{
SslStream sslStream = new SslStream(client.GetStream(), false);
try
{
sslStream.AuthenticateAsServer(serverCertificate, clientCertificateRequired: false, enabledSslProtocols : SslProtocols.Tls12, checkCertificateRevocation: false);
Console.WriteLine("Authenticated");
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
sslStream.Close();
client.Close();
return;
}
finally
{
sslStream.Close();
client.Close();
}
}
代碼永遠不會到達“已認證”,總是會引發異常
“對SSPI的調用失敗,請參閱內部異常”
有內部例外
“客戶端和服務器無法通信,因為它們不具有通用算法”
此問題與SSL / TLS協議無關。 關於簽名算法ECDsa。 這看起來好像nistP521
(由所使用的默認曲線ECDsa.Create
)不Firefox支持(我沒有檢查任何文件),因為它與nistP256或nistP384完美的作品
var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384); // generate asymmetric key pair
var req = new CertificateRequest("cn=localhost",ecdsa, HashAlgorithmName.SHA256);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.