我正在建立我们的 IIS 服务器与运行 Apache 的客户端服务器之间的连接。我已经设置了 TLS 2 方式(需要 HTTPS)。当他们尝试连接到我们时,他们收到以下信息,而我们在 IIS 中的日志中只收到错误 500。
E2E connection XX.XXX.XXX.XXX:XXXXX<->XX.XXX.XXX.XXX:XXXXX3 <==> XX.XXX.XXX.XXX:XXXXX<->XX.XXX.XXX.XXX:XXXXX established.
Using Cipher: ECDHE-RSA-AES256-SHA384 TLSv1.2 256
Connection error: ssl_hs_rxhelloreq:6290: renegotiation disallowed (40)
Client connection XX.XXX.XXX.XXX:XXXXX<->XX.XXX.XXX.XXX:XXX closed.
<SERVER_CLOSED>: 10.115.142.228:443 closed the connection
我对 TLS / SSL 故障排除还不太熟悉,但从我所读到的内容来看,重新协商不允许 (40) 似乎是临界点。这是指 (密码) 安全重新协商吗?这是客户端应该能够允许的吗?
使用 OpenSSL 连接到我们的服务器,一切似乎都很好。一直重新协商密码是正常的吗?为什么即使连接成功,我也会看到两次某些行?
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
GET / HTTP/1.0
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 106
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
TechnicalId:
EventName:
答案1
讽刺的是,通过在 IIS 站点中启用 clientcertnegotiation 解决了这个问题。默认情况下,IIS 仅在发出请求命令(例如 GET / HTTP/1.0)后才请求客户端证书。启用此功能会强制客户端在第一次请求时进行身份验证。这通常不是问题,但由于我们的客户端有严格的安全策略,因此这是必要的。
从当前 SSL 绑定中获取证书哈希和应用程序 ID
删除现有的 SSL 绑定
使用新选项再次添加 SSL 绑定。
netsh http show sslcert ipport=<ip>:<port> netsh http delete sslcert ipport=<ip>:<port> netsh http add sslcert ipport=<ip>:<port> certhash= $certHash appid=$appId clientcertnegotiation=enable