1
我在這方面看到過幾個類似的問題,但似乎沒有任何答案真的有助於解決它。請求被中止:無法創建SSL/TLS安全通道 - IllegalMessage
我需要通過證書認證來訪問客戶Web服務。在提示時選擇正確的證書後,使用SoapUI和chrome工作正常。但我無法使用IE,WCF客戶端,不是我自己的,也不是WcfTestClient。 操作系統是Windows服務器2012 R2,協議TLS 1.2
我一直在調查事件,tracelogs,也花了相當一段時間分析wireshark捕獲,但我卡住了。這是我
事件日誌:
下產生致命的警報併發送到遠程端點。這可能會導致連接終止。 TLS協議定義的致命錯誤代碼是10,在Windows SChannel中的錯誤狀態是12
跟蹤日誌:
我會忽略不感興趣的部分,並只顯示相關的。
System.Net Information: 0 : [12208] Connection#11144211 - Created connection
from 192.168.3.13:53514 to 145.119.167.109:443.
System.Net Information: 0 : [12208] TlsStream#3957675::.ctor(host=aaa.bbb.eu, #certs=1)
System.Net Information: 0 : [12208] Associating HttpWebRequest#37368736 with ConnectStream#35619075
.
.
.
System.Net Information: 0 : [12208]
SecureChannel#52136226::.ctor(hostname=aaa.bbb.eu, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [12208] Enumerating security packages:
System.Net Information: 0 : [12208] Negotiate
System.Net Information: 0 : [12208] NegoExtender
System.Net Information: 0 : [12208] Kerberos
System.Net Information: 0 : [12208] NTLM
System.Net Information: 0 : [12208] TSSSP
System.Net Information: 0 : [12208] pku2u
System.Net Information: 0 : [12208] WDigest
System.Net Information: 0 : [12208] Schannel
System.Net Information: 0 : [12208] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [12208] CREDSSP
System.Net Information: 0 : [12208] SecureChannel#52136226 - Attempting to restart the session using the user-provided certificate: [HERE GOES DATA ABOUT CERTIFICATE]
.
.
.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Locating the private key for the certificate: [HERE GOES DATA ABOUT CERTIFICATE]
.
.
.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12208] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=161, returned code=ContinueNeeded).
然後一些收到的消息,與
System.Net.Sockets Verbose: 0 : [12208] Exiting Socket#33189039::Receive() -> Int32#2516
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = cb00f8:7980678, targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [12208] Socket#33189039::Receive()
System.Net.Sockets Verbose: 0 : [12208] Data from Socket#33189039::Receive
。最後,這個問題。
System.Net.Sockets Verbose: 0 : [12208] Exiting Socket#33189039::Receive() -> Int32#2839
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = cb00f8:7980678, targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [12208] Socket#33189039::Dispose()
System.Net Error: 0 : [12208] Exception in HttpWebRequest#37368736:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [12208] Exception in HttpWebRequest#37368736::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
所以,很顯然,我有足夠的權利,成功地閱讀和使用提供的客戶端證書(這是蠻好的Chrome和了SoapUI)。 當通過Wireshark檢查網絡流時,Client Hello和Server Hello在那裏,然後是證書和服務器密鑰交換消息。然後很多可能沒有正確解碼的數據包來自服務器(由Wireshark標記爲Encrypted Handshake消息,內容看起來像是某些證書),最後是從我的客戶端收到ACK RST數據包。
任何想法可能會導致這將不勝感激。
編輯:添加了客戶機代碼和配置
客戶端代碼:
ServicePointManager.SetTcpKeepAlive(true, 10000, 1000);
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
try
{
client = new IncidentBrokerPortTypeClient("gms_endpoint");
client.EchoRequest(new EchoRequest());
}
catch (Exception ex)
{
MessageBox.Show(ex.Message + Environment.NewLine + ex.InnerException);
}
配置:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<system.serviceModel>
<bindings>
<basicHttpsBinding>
<binding name="HttpsBasicBinding">
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpsBinding>
</bindings>
<client>
<endpoint
name ="gms_endpoint"
address="https://aaa.bbb.eu/"
binding="basicHttpsBinding"
bindingConfiguration="HttpsBasicBinding"
contract="SomeNamespace.IncidentBrokerPortType"
behaviorConfiguration="GmsBehavior"
/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="GmsBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindByThumbprint"
findValue="5c1dd5c93d1854cb2d698451e1d2a78a3d94dcb0"
storeLocation="LocalMachine"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
與chrome瀏覽器不同,WCFTestClient不具備提示用戶附加客戶端證書的功能。除非明確編碼,否則您的自定義客戶端將不具備該功能。雖然我想知道爲什麼IE不提示您附加客戶端證書。 –
根據跟蹤日誌,我已經將WcfTestClient和我的自定義測試客戶端都配置爲使用給定證書,至少自定義測試客戶端使用它。 –
事實上,它按照預期與soapui和鉻,然後沒有錯誤的服務。在這種情況下,我們將不得不檢查您的自定義客戶端代碼。你可以發佈它嗎? –