设置

设置

我无法使用System.Net.WebRequestTLS 1.2 进行请求。如果我这样做,我会收到异常The request was aborted: Could not create SSL/TLS secure channel.和协议错误Handshake Failure

通过 TLS 1.2 进行连接和身份验证可与 Internet Explorer 和 Chrome 配合使用。OpenSSL 可以通过 TLS 1.2 连接到此端点。

设置

  1. 使用 ClientCertificates 进行身份验证
  2. 使用非默认端口
  3. 使用 TLS 1.2
  4. Endpoint 是一个 haproxy,但是这是一个黑盒
  5. .NET 4.7 和 C#

代码片段

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var req = WebRequest.Create($"https://{host}:{port}");
((HttpWebRequest)req).ClientCertificates = new X509Certificate2Collection(GetCertificate());
var requestStream = req.GetRequestStream();

Wireshark

按照发生顺序从 wireshark 输出的文本。

客户端问候

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 207
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 203
            Version: TLS 1.2 (0x0303)
            Random: 5a292ab72d2173fc286aebe2c4cc991ee619e1cc81b5bb39...
            Session ID Length: 0
            Cipher Suites Length: 60
            Cipher Suites (30 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 102
            Extension: server_name (len=43)
                Type: server_name (0)
                Length: 43
                Server Name Indication extension
                    Server Name list length: 41
                    Server Name Type: host_name (0)
                    Server Name length: 38
                    Server Name: [REMOVED]
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
            Extension: signature_algorithms (len=20)
                Type: signature_algorithms (13)
                Length: 20
                Signature Hash Algorithms Length: 18
                Signature Hash Algorithms (9 algorithms)
            Extension: SessionTicket TLS (len=0)
                Type: SessionTicket TLS (35)
                Length: 0
                Data (0 bytes)
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0

Server Name: [REMOVED]包含正确的服务器名称。

服务器问候

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 65
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 61
            Version: TLS 1.2 (0x0303)
            Random: 5a292ab7238205b2b8a2e6692abfd518a054515e53cd5b16...
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Compression Method: null (0)
            Extensions Length: 21
            Extension: server_name (len=0)
                Type: server_name (0)
                Length: 0
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats (len=4)
                Type: ec_point_formats (11)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
            Extension: SessionTicket TLS (len=0)
                Type: SessionTicket TLS (35)
                Length: 0
                Data (0 bytes)

证书

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 3855
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 3851
            Certificates Length: 3848
            Certificates (3848 bytes)

服务器你好,完成

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 589
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 585
            EC Diffie-Hellman Server Params
                Curve Type: named_curve (0x03)
                Named Curve: secp256r1 (0x0017)
                Pubkey Length: 65
                Pubkey: ...
                Signature Hash Algorithm: 0x0401
                Signature Length: 512
                Signature: ...

多次握手消息

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 77
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 3
            Certificates Length: 0
        Handshake Protocol: Client Key Exchange
            Handshake Type: Client Key Exchange (16)
            Length: 66
            EC Diffie-Hellman Client Params
                Pubkey Length: 65
                Pubkey: ...
    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 40
        Handshake Protocol: Encrypted Handshake Message

使用 Internet Explorer 时,此部分会有所不同。在这种情况下,会列出很多证书。

    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 0

握手失败

Secure Sockets Layer
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

我不确定在哪里发布(Serverfault 与 Stackoverflow),所以我也在这里发布了这个https://stackoverflow.com/q/47697982/1776231

相关内容