2015-05-27 41 views
3

我試圖連接到測試服務器,開始與OpenSSL的(這有限的密碼套件組合意指)的SSL服務器:無法連接到僅使用密碼套件短暫的(本地安全機構無法聯繫)

openssl s_server -accept 443 -www -tls1_2 -cipher ECDHE:DHE:EDH -cert selfsignedcert.pem -key sskey.pem 

我使用的代碼類似於MSDN的

public static bool ValidateServerCertificate(
     object sender, 
     X509Certificate certificate, 
     X509Chain chain, 
     SslPolicyErrors sslPolicyErrors) 
{ 
     return true; 
} 

... 

var client = new TcpClient(target, port); 
SslStream sslStream = new SslStream(client.GetStream(), false,ValidateServerCertificate,null); 
sslStream.AuthenticateAsClient(target, null, SslProtocols.Tls12, false); 

但我發現了在最後一行異常:A call to SSPI failed, see inner exception.,其中內部異常說:The Local Security Authority cannot be contacted。通過查看wireshark,我可以說TLS握手以Server Hello, Certificate, Server Key Exchange, Server Hello Done結束,選擇的密碼組爲TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

我可以通過Firefox訪問網址,但不能與IE瀏覽器(它只是說「此頁面無法顯示」),所以它看起來像schannel問題。

當我用所有密碼組啓動服務器時,一切正常(IE和代碼)(-cipher ALL)。有沒有辦法讓它工作而不修改服務器的配置?

堆棧跟蹤,以防萬一

at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) 
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) 
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) 
    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) 

我使用Windows 8.1與最新的更新。

+1

嘗試給你自己的DH參數至少1024位。 s_server的默認值是弱的512位,IE可能無法接受。 –

+0

@SteffenUllrich謝謝,使用自定義1024bit參數幫助。但我的問題是如何連接到這個服務器**沒有**改變它的配置即。如何繞過這種保護措施 – savageBum

+0

我不認爲繞過此檢查是一個好主意,請參閱https://weakdh.org/。並期望其他瀏覽器和庫也獲得此限制。 OpenSSL forork BoringSSL和LibreSSL已經有一段時間的1024位限制,沒有辦法繞過它。但是你可能會使用一個更新的OpenSSL版本(在1.02之後),他們不再使用s_server中的512位DH缺省值。 –

回答

5

我設法使用Windows註冊表設置schannel的最小密鑰長度。

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman] 
"ClientMinKeyBitLength"=dword:00000200 

但它不是所期望的解決方案,因爲它改變了整個系統的設置,我想在我的應用範圍暫時只有設置。

+0

嗨,你最終設法找到更好的解決方案嗎? – Para

+0

類別。我沒有使用schannel,而是使用openssl,使用託管包裝來精確地[openssl-net](https://github.com/openssl-net/openssl-net)。 – savageBum