关于c#:HttpWebRequest :: GetResponse-请求被中止:无法创建SSL / TLS安全通道


HttpWebRequest::GetResponse - The request was aborted: Could not create SSL/TLS secure channel

请阅读下面的全文。我尝试了解决此问题的所有常用方法。

因此,我成功运行的.Net 4.5应用程序已经从URL中获取数据了很长时间。但是它突然因上面提到的错误而开始失败:

HttpWebRequest#687191::GetResponse - The request was aborted: Could
not create SSL/TLS secure channel..

这是示例C#代码,通过它我可以重现错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
    ServicePointManager.Expect100Continue = true;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
    ServicePointManager.DefaultConnectionLimit = 9999;

    ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
    {
        return (true);
    };

    var authHeaderValue = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(string.Format("{0}:{1}","username","password")));

    var request = (HttpWebRequest) HttpWebRequest.Create("url-here");
    request.Method ="GET";
    request.Headers.Add("Authorization: Basic" + authHeaderValue);

    using (HttpWebResponse response = (HttpWebResponse) request.GetResponse())
    {
        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        var s = reader.ReadToEnd();
        reader.Close();
        dataStream.Close();

        Console.WriteLine(s);
    }

如您所见,上面已经尝试了在ServicePointManager上设置值/忽略证书错误的所有常用解决方案。
我仍然收到错误消息,甚至没有命中ServerCertificateValidationCallback。

我在Fiddler上启用了HTTPS解密,而Fiddler却给了我这个错误:

System.Security.Authentication.AuthenticationException : A call to
SSPI failed, see inner exception.
----> System.ComponentModel.Win32Exception : The message received was unexpected or badly formatted

我去了跟踪(https://stackoverflow.com/a/12327881/12484),这是跟踪文件的输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
System.Net Information: 0 : [13160] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [13160] WebRequest::Create(url-here)
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::HttpWebRequest(url-here)
System.Net Information: 0 : [13160] RAS supported: True
System.Net Verbose: 0 : [13160] Exiting HttpWebRequest#687191::HttpWebRequest()
System.Net Verbose: 0 : [13160] Exiting WebRequest::Create()    -> HttpWebRequest#687191
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::GetResponse()
System.Net Verbose: 0 : [13160] ServicePoint#49385318::ServicePoint(domain-here:443)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ServicePoint#49385318
System.Net Information: 0 : [13160] Associating Connection#7746814 with HttpWebRequest#687191
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Socket(AddressFamily#2)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Socket()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Socket(AddressFamily#23)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Socket()
System.Net.Sockets Verbose: 0 : [13160] DNS::TryInternalResolve(domain-here)
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Connect(server-ip-here:443#1466373584)
System.Net.Sockets Information: 0 : [13160] Socket#13062350 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Connect()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Close()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Dispose()
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Close()
System.Net Information: 0 : [13160] Connection#7746814 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net Information: 0 : [13160] TlsStream#10366524::.ctor(host=domain-here, #certs=0)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ConnectStream#63840421
System.Net Information: 0 : [13160] HttpWebRequest#687191 - Request: GET relative-url-here HTTP/1.1

System.Net Information: 0 : [13160] ConnectStream#63840421 - Sending headers
{
Authorization: Basic credentials-here
Host: domain-here
Connection: Keep-Alive
}.
System.Net Information: 0 : [13160] SecureChannel#54246671::.ctor(hostname=domain-here, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [13160] Enumerating security packages:
System.Net Information: 0 : [13160]     Negotiate
System.Net Information: 0 : [13160]     NegoExtender
System.Net Information: 0 : [13160]     Kerberos
System.Net Information: 0 : [13160]     NTLM
System.Net Information: 0 : [13160]     Schannel
System.Net Information: 0 : [13160]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [13160]     WDigest
System.Net Information: 0 : [13160]     TSSSP
System.Net Information: 0 : [13160]     pku2u
System.Net Information: 0 : [13160]     CREDSSP
System.Net Information: 0 : [13160] SecureChannel#54246671 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [13160] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=184, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Send()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Send
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 16 03 03 00 B3 01 00 00-AF 03 03 5E D9 42 A7 54 : ...........^.B.T
System.Net.Sockets Verbose: 0 : [13160] 00000010 : CD 34 00 7C 31 C9 2F 75-E7 DE A6 9E E8 D7 B5 74 : .4.|1./u.......t
System.Net.Sockets Verbose: 0 : [13160] 00000020 : 3C CB 7E B3 84 D8 1A 22-69 79 B3 00 00 38 C0 28 : <.~...."iy...8.(
System.Net.Sockets Verbose: 0 : [13160] 00000030 : C0 27 C0 14 C0 13 00 9F-00 9E 00 39 00 33 00 9D : .'.........9.3..
System.Net.Sockets Verbose: 0 : [13160] 00000040 : 00 9C 00 3D 00 3C 00 35-00 2F C0 2C C0 2B C0 24 : ...=.<.5./.,.+.$
System.Net.Sockets Verbose: 0 : [13160] 00000050 : C0 23 C0 0A C0 09 00 6A-00 40 00 38 00 32 00 0A : .#[email protected]..
System.Net.Sockets Verbose: 0 : [13160] 00000060 : 00 13 00 05 00 04 01 00-00 4E 00 00 00 19 00 17 : .........N......
System.Net.Sockets Verbose: 0 : [13160] 00000070 : 00 00 14 61 6D 61 74 72-61 76 65 6C 2E 74 73 74 : ...domain-here
System.Net.Sockets Verbose: 0 : [13160] 00000080 : 6C 6C 63 2E 6E 65 74 00-0A 00 06 00 04 00 17 00 : domain-here.........
System.Net.Sockets Verbose: 0 : [13160] 00000090 : 18 00 0B 00 02 01 00 00-0D 00 14 00 12 06 01 06 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000A0 : 03 04 01 05 01 02 01 04-03 05 03 02 03 02 02 00 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000B0 : 17 00 00 FF 01 00 01 00-                        : ........
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Send()     -> Int32#184
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 15 03 03 00 02                                  : .....
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000005 : 02 28                                           : .(
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#2
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 51ccc0:5827200, targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Dispose()
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

我在上面的跟踪中替换了服务器和客户端敏感信息(任何以-here结尾的信息),但其他跟踪信息未损坏。

我仍然无法弄清楚Trace中出了什么问题,为什么这个URL(使用HTTPS)无法用我的.Net代码打开。

有人可以帮助我解决此问题吗?

调试信息包含客户端在TLS握手中发送的ClientHello。基于此,服务器是amatravel.tstllc.net,根据SSLLabs,它支持以下很少的密码:

1
2
3
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)         ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)         ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 256

所有这些密码均以TLS_ECDHE_RSA_开头,即具有ECDHE密钥交换的RSA证书。但是对ClientHello进行解码表明,客户端仅宣布支持以下密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
        Cipher Suites (28 suites)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

快速查看将发现以TLS_ECDHE_RSA_开头的4个密码均与服务器支持的密码不匹配。因此,由于没有共享密码,握手将失败。

But it suddenly started failing ...

假设未对应用程序进行任何更改,则可能已对服务器进行了更改。服务器支持的密码集非常小,因此也许有人尝试加固服务器,却没有意识到某些客户端不支持这几种密码中的任何一种。

但是您的客户端支持的密码集也很奇怪。支持TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256时不支持TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,即相同的密码,但用于RSA证书而不是ECC证书。服务器实际上将支持后一种密码。

相关讨论