[英]How to ignore SSL validation in .net core 2.1
我正在嘗試調用部署在 Linux 服務器上的 Web 服務,該服務器具有來自在 .net core 中開發並部署在 IIS 服務器(Windows 服務器 2012)上的應用程序的自簽名證書。
但是當我嘗試調用端點時,會拋出下一個錯誤:
"Message": "無法建立 SSL 連接,請參閱內部異常。", "Description": "InnerError : System.Security.Authentication.AuthenticationException: 身份驗證失敗,請參閱內部異常。---> System.ComponentModel.Win32Exception : Mensaje recibido inesperado, o bien su formato es不正確\\r\\n --- 內部異常堆棧跟蹤結束---\\r\\n 在 System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo 異常)\\r\\n 在 System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)\\r\\n 在 System.Net.Security.SslState.StartSendBlob(Byte[] 傳入,Int32 計數,AsyncProtocolRequest asyncRequest)\\r \\n 在 System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)\\r\\n 在 System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) \\r\\n 在 Sy stem.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)\\r\\n--- 從上一個引發異常的位置的堆棧跟蹤結束---\\r\\n 在 System.Net.Security.SslState.ThrowIfExceptional() \\r\\n 在 System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)\\r\\n 在 System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)\\r\\n 在 System.Net.Security.SslStream.EndAuthenticateAsClient (IAsyncResult asyncResult)\\r\\n 在 System.Net.Security.SslStream.<>c.b__47_1(IAsyncResult iar)\\r\\n 在 System.Threading.Tasks.TaskFactory
1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)\\r\\n--- 從上一個拋出異常的位置結束堆棧跟蹤---\\r\\n 在 System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken 取消令牌) | stackTrace : 在 System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancelationToken)\\r\\n 在 System.Threading.Tasks.ValueTask1.get_Result()\\r\\n at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)\\r\\n at System.Threading.Tasks.ValueTaskcancelationToken1.get_Result()\\r\\n at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)\\r\\n at System.Threading.Tasks.ValueTask1.get_Result()\\r\\n 在 System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask)\\r\\n at System.Threading.Tasks.ValueTask1.get_Result()\\r\\n 在 System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancelationToken)\\r\\n 在 System.Net.Http.RedirectHandler。 SendAsync(HttpRequestMessage request, CancellationToken cancelationToken)\\r\\n 在 System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)\\r\\n 在 ReservasProxy .Data.APIConnection.CallXMLFormDataApiPostAsyc(String body) in C:\\gitProjects\\ResevasProxy\\ReservasProxy\\ReservasProxy\\Data\\APIConnection.cs:line 181\\r\\n
我已經嘗試了下一個解決方案,但它們沒有用。
解決方案1:
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
// Make your request...
//send request
using (var httpClient = new HttpClient(httpClientHandler))
{
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
//var res = await response.Content.ReadAsAsync<T>();
}
}
解決方案2:
//send request
using (var httpClient = new HttpClient())
{
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
}
解決方案 3:嘗試導入證書,然后撥打電話,但仍然無法正常工作。
const string certPath = @"C:\soaProdcer.cer";
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
SslProtocols = System.Security.Authentication.SslProtocols.Tls
};
handler.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(certPath));
//send request
using (var httpClient = new HttpClient(handler))
{
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
}
我使用 OpenSSL 獲得了證書
>openssl s_client -showcerts -connect serversoa:443
No client certificate CA names sent
---
SSL handshake has read 774 bytes and written 493 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 4E0F69C75B8F041101562F7E9B3EA349
Session-ID-ctx:
Master-Key: 61A916A9B8AF26281B5F7A0138DF5E4C2A4B83995E0B3FDD2274BAD0D8E3C2B5E98AA7CCB48A6543F6814C2540B18848
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1558979896
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
我將證書導入到受信任的根證書頒發機構的 IIS 服務器中。
我不記得微軟的鏈接告訴你這個。 您的上述解決方案適用於較舊的 asp.net 核心版本。 這是我為我的項目實現的最新 ASP.NET Core 的解決方案。 我希望它能幫助你。
services.AddHttpClient<IYourService, YourService>()
.ConfigurePrimaryHttpMessageHandler(sp => new HttpClientHandler
{
AllowAutoRedirect = false,
ServerCertificateCustomValidationCallback = (message, certificate2, arg3, arg4) => true,
SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12
});
另請閱讀 HttpClientFactory: https : //docs.microsoft.com/en-us/dotnet/standard/microservices-architecture/implement-resilient-applications/use-httpclientfactory-to-implement-resilient-http-requests
正如 Ilya 所說,這不是 CA 證書頒發機構的問題。 問題是客戶端試圖使用不同版本的 TLS (1.2) 解決方案是指定 TLS 版本。
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
httpClientHandler.SslProtocols = System.Security.Authentication.SslProtocols.Tls;
//send request
using (var httpClient = new HttpClient(httpClientHandler))
{
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
}
}
我使用 Wireshark 來嗅探流量,看看發生了什么......
客戶端發送帶有版本的問候,不支持
服務器關閉連接
在我的電腦上完成測試並且測試成功后,我將應用程序部署到 IIS 服務器上。 當我開始在服務器上測試我的應用程序時,它開始拋出與以前相同的異常。
為什么?
結果證明服務器已停用密碼 (RC4),如下圖所示。
因此,如果您像我一樣使用 Windows,則只需檢查證書使用的密碼即可。 正如我之前提到的,Linux 服務器在證書中使用了 CR4 密碼
該錯誤並不表示證書 CA 機構有問題,而是來自服務器的響應,該響應不是預期的 TLS 建立。
由於作者已經弄清楚客戶端支持1.2和服務器1.0並且它引起了麻煩。
PS 如果這是您需要處理的瀏覽器支持選項,我建議僅使用 TLS 1.2。 (只有舊版本不支持 1.2。)
從這里使用下面的示例
var httpClientHandler = new HttpClientHandler();
// Return `true` to allow certificates that are untrusted/invalid
httpClientHandler.ServerCertificateCustomValidationCallback =
HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
var httpClient = new HttpClient(httpClientHandler);
如何在CentOS上的.Net-Core 2中忽略SSL證書驗證
[英]How to ignore SSL certificate validation in .Net-Core 2 on CentOS
如何在 .Net Core 2.1 中為 Staging/Production 配置 ssl
[英]How to configure ssl for Staging/Production in .Net Core 2.1
如何在 .net 核心 2.1 中的自定義驗證屬性中獲取參數值
[英]How to get argument value in custom validation attribute in .net core 2.1
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.