请求被中止: 无法创建 SSL/TLS 安全通道

我的客户已经通知了我他们的 SSL 和 Internet Explorer 的问题。他们说访问 URL 时会遇到信任问题。

我正在通过 HTTPS 访问 JSON。该网站坐落在一个服务器和我使用的控制台应用程序在我的本地机器。我试图绕过 SSL 证书,但是,我的代码仍然失败。

我可以修改 HttpWebRequest 来修复这个问题吗?

我使用下面的代码得到了这个错误:

    // You must change the URL to point to your Web server.
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "GET";
req.AllowAutoRedirect = true;


// allows for validation of SSL conversations
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };




WebResponse respon = req.GetResponse();
Stream res = respon.GetResponseStream();


string ret = "";
byte[] buffer = new byte[1048];
int read = 0;
while ((read = res.Read(buffer, 0, buffer.Length)) > 0)
{
//Console.Write(Encoding.ASCII.GetString(buffer, 0, read));
ret += Encoding.ASCII.GetString(buffer, 0, read);
}
return ret;
197720 次浏览
小开

这可能是由以下几个因素造成的(最有可能或最不可能) :

  1. 客户端不信任服务器的 SSL 证书。最简单的检查方法是将浏览器指向 URL,看看是否获得了 SSL 锁图标。如果你得到一个坏掉的锁,图标,点击它看看问题是什么:

    1. 过期日期-获得一个新的 SSL 证书
    2. 名称不匹配-请确保 URL 使用与证书相同的服务器名称。
    3. 未经受信任的权威机构签名——从 Verisign 等权威机构购买证书,或者将证书添加到客户机的受信任证书存储区。
    4. 在测试环境中,您可以更新您的证书验证器以跳过访问检查。

  2. 服务器需要客户端 SSL 证书——在这种情况下,您必须更新代码以使用客户端证书对请求进行签名。

小开
最佳答案

我使用以下代码启用了日志记录:

Http://blogs.msdn.com/b/dgorti/archive/2005/09/18/471003.aspx

日志位于 bin/Debug 文件夹中(我的控制台应用程序处于 Debug 模式)。您需要将安全协议类型添加为 SSL3

我在日志中收到一个不匹配的算法,这是我的新代码:

        // You must change the URL to point to your Web server.
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "GET";
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;




// Skip validation of SSL/TLS certificate
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };




WebResponse respon = req.GetResponse();
Stream res = respon.GetResponseStream();


string ret = "";
byte[] buffer = new byte[1048];
int read = 0;
while ((read = res.Read(buffer, 0, buffer.Length)) > 0)
{
Console.Write(Encoding.ASCII.GetString(buffer, 0, read));
ret += Encoding.ASCII.GetString(buffer, 0, read);
}
return ret;
小开

我必须启用其他安全协议版本来解决这个问题:

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;
小开

请看下面的链接一次。 SecurityProtocolType.SsL3现在是旧的。

Http://codemust.com/poodle-vulnerability-fix-openssl/

小开

现有的答案类似,但使用 PowerShell:

[System.Net.ServicePointManager]::SecurityProtocol = `
[System.Net.SecurityProtocolType]::Tls11 -bor
[System.Net.SecurityProtocolType]::Tls12 -bor `
[System.Net.SecurityProtocolType]::Tls -bor `
[System.Net.SecurityProtocolType]::Ssl3

然后调用 Invoke-WebRequest 应该可以。

这是匿名反馈,好建议: 更简单的写法是:

[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls","Ssl3")

发现这个奇妙的和相关的职位 Jaykul: 验证来自.Net 和 PowerShell 的自签名证书

小开

我发现证书的类型也起作用。

我有一个证书是:

(下面的输出是 mmc,证书属性)

数字签名,密钥加密(a0)

(下面的输出来自我下面的 C # 代码)

X509KeyUsageExtension.X509KeyUsageExtension.KeyUsages = ‘ KeyEncipherment,DigitalSignature’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags. CrlSign = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. DataEncipherment = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. DecipherOnly = ‘ False’ X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DigitalSignature = ‘ 没错’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags. EncipherOnly = ‘ False’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags. KeyAgreement = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. KeyCertSign = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. KeyEncipherment = ‘ 没错’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. None = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. NonRepudiation = ‘ False’

上面做了 没有的工作。

===============================

然后是另一张证书:

(下面的输出是 mmc,证书属性)

证书签名,离线 CRL 签名,CRL 签名(06)

(下面的输出来自我下面的 C # 代码)

X509KeyUsageExtension.X509KeyUsageExtension.KeyUsages = ‘ CrlSign,KeyCertSign’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. CrlSign = ‘ 没错’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. DataEncipherment = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. DecipherOnly = ‘ False’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags.DigitalSignature = ‘ False’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags. EncipherOnly = ‘ False’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags. KeyAgreement = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. KeyCertSign = ‘ 没错’ X509KeyUsageext.KeyUsages.X509KeyUsageFlags. KeyEncipherment = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. None = ‘ False’ X509KeyUsageExtension. KeyUsages.X509KeyUsageFlags. NonRepudiation = ‘ False’

它是 起作用了

下面的代码允许您检查客户端证书

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;


namespace MyNamespace
{
public static class SecurityShower
{
public static void ShowHttpWebRequest(System.Net.HttpWebRequest hwr)
{
StringBuilder sb = new StringBuilder();
if (null != hwr)
{
sb.Append("-----------------------------------------------HttpWebRequest" + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.Address.AbsolutePath='{0}'", hwr.Address.AbsolutePath) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.Address.AbsoluteUri='{0}'", hwr.Address.AbsoluteUri) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.Address='{0}'", hwr.Address) + System.Environment.NewLine);


sb.Append(string.Format("HttpWebRequest.RequestUri.AbsolutePath='{0}'", hwr.RequestUri.AbsolutePath) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.RequestUri.AbsoluteUri='{0}'", hwr.RequestUri.AbsoluteUri) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.RequestUri='{0}'", hwr.RequestUri) + System.Environment.NewLine);


foreach (X509Certificate cert in hwr.ClientCertificates)
{
sb.Append("START*************************************************");
ShowX509Certificate(sb, cert);
sb.Append("END*************************************************");
}
}


string result = sb.ToString();
Console.WriteLine(result);
}


public static void ShowCertAndChain(X509Certificate2 cert)
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;


////chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreCtlSignerRevocationUnknown &&
////X509VerificationFlags.IgnoreRootRevocationUnknown &&
////X509VerificationFlags.IgnoreEndRevocationUnknown &&
////X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown &&
////X509VerificationFlags.IgnoreCtlNotTimeValid;


chain.Build(cert);


ShowCertAndChain(cert, chain);
}


public static void ShowCertAndChain(X509Certificate cert, X509Chain chain)
{
StringBuilder sb = new StringBuilder();
if (null != cert)
{
ShowX509Certificate(sb, cert);
}


if (null != chain)
{
sb.Append("-X509Chain(Start)-" + System.Environment.NewLine);
////sb.Append(string.Format("Cert.ChainStatus='{0}'", string.Join(",", chain.ChainStatus.ToList())) + System.Environment.NewLine);


foreach (X509ChainStatus cstat in chain.ChainStatus)
{
sb.Append(string.Format("X509ChainStatus::'{0}'-'{1}'", cstat.Status.ToString(), cstat.StatusInformation) + System.Environment.NewLine);
}


X509ChainElementCollection ces = chain.ChainElements;
ShowX509ChainElementCollection(sb, ces);
sb.Append("-X509Chain(End)-" + System.Environment.NewLine);
}


string result = sb.ToString();
Console.WriteLine(result);
}


private static void ShowX509Extension(StringBuilder sb, int x509ExtensionCount, X509Extension ext)
{
sb.Append(string.Empty + System.Environment.NewLine);
sb.Append(string.Format("--------X509ExtensionNumber(Start):{0}", x509ExtensionCount) + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.Critical='{0}'", ext.Critical) + System.Environment.NewLine);


AsnEncodedData asndata = new AsnEncodedData(ext.Oid, ext.RawData);
sb.Append(string.Format("Extension type: {0}", ext.Oid.FriendlyName) + System.Environment.NewLine);
sb.Append(string.Format("Oid value: {0}", asndata.Oid.Value) + System.Environment.NewLine);
sb.Append(string.Format("Raw data length: {0} {1}", asndata.RawData.Length, Environment.NewLine) + System.Environment.NewLine);
sb.Append(asndata.Format(true) + System.Environment.NewLine);


X509BasicConstraintsExtension basicEx = ext as X509BasicConstraintsExtension;
if (null != basicEx)
{
sb.Append("-X509BasicConstraintsExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509BasicConstraintsExtension.CertificateAuthority='{0}'", basicEx.CertificateAuthority) + System.Environment.NewLine);
}


X509EnhancedKeyUsageExtension keyEx = ext as X509EnhancedKeyUsageExtension;
if (null != keyEx)
{
sb.Append("-X509EnhancedKeyUsageExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509EnhancedKeyUsageExtension.EnhancedKeyUsages='{0}'", keyEx.EnhancedKeyUsages) + System.Environment.NewLine);
foreach (Oid oi in keyEx.EnhancedKeyUsages)
{
sb.Append(string.Format("------------EnhancedKeyUsages.Oid.FriendlyName='{0}'", oi.FriendlyName) + System.Environment.NewLine);
sb.Append(string.Format("------------EnhancedKeyUsages.Oid.Value='{0}'", oi.Value) + System.Environment.NewLine);
}
}


X509KeyUsageExtension usageEx = ext as X509KeyUsageExtension;
if (null != usageEx)
{
sb.Append("-X509KeyUsageExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509KeyUsageExtension.KeyUsages='{0}'", usageEx.KeyUsages) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.CrlSign='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.CrlSign) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DataEncipherment='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.DataEncipherment) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DecipherOnly='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.DecipherOnly) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DigitalSignature='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.EncipherOnly='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.EncipherOnly) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyAgreement='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.KeyAgreement) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyCertSign='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.KeyCertSign) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyEncipherment='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.KeyEncipherment) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.None='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.None) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.NonRepudiation='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.NonRepudiation) != 0) + System.Environment.NewLine);
}


X509SubjectKeyIdentifierExtension skIdEx = ext as X509SubjectKeyIdentifierExtension;
if (null != skIdEx)
{
sb.Append("-X509SubjectKeyIdentifierExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509SubjectKeyIdentifierExtension.Oid='{0}'", skIdEx.Oid) + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509SubjectKeyIdentifierExtension.SubjectKeyIdentifier='{0}'", skIdEx.SubjectKeyIdentifier) + System.Environment.NewLine);
}


sb.Append(string.Format("--------X509ExtensionNumber(End):{0}", x509ExtensionCount) + System.Environment.NewLine);
}


private static void ShowX509Extensions(StringBuilder sb, string cert2SubjectName, X509ExtensionCollection extColl)
{
int x509ExtensionCount = 0;
sb.Append(string.Format("--------ShowX509Extensions(Start):for:{0}", cert2SubjectName) + System.Environment.NewLine);
foreach (X509Extension ext in extColl)
{
ShowX509Extension(sb, ++x509ExtensionCount, ext);
}


sb.Append(string.Format("--------ShowX509Extensions(End):for:{0}", cert2SubjectName) + System.Environment.NewLine);
}


private static void ShowX509Certificate2(StringBuilder sb, X509Certificate2 cert2)
{
if (null != cert2)
{
sb.Append(string.Format("X509Certificate2.SubjectName.Name='{0}'", cert2.SubjectName.Name) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.Subject='{0}'", cert2.Subject) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.Thumbprint='{0}'", cert2.Thumbprint) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.HasPrivateKey='{0}'", cert2.HasPrivateKey) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.Version='{0}'", cert2.Version) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.NotBefore='{0}'", cert2.NotBefore) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.NotAfter='{0}'", cert2.NotAfter) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.PublicKey.Key.KeySize='{0}'", cert2.PublicKey.Key.KeySize) + System.Environment.NewLine);


////List<X509KeyUsageExtension> keyUsageExtensions = cert2.Extensions.OfType<X509KeyUsageExtension>().ToList();
////List<X509Extension> extensions = cert2.Extensions.OfType<X509Extension>().ToList();


ShowX509Extensions(sb, cert2.Subject, cert2.Extensions);
}
}


private static void ShowX509ChainElementCollection(StringBuilder sb, X509ChainElementCollection ces)
{
int x509ChainElementCount = 0;
foreach (X509ChainElement ce in ces)
{
sb.Append(string.Empty + System.Environment.NewLine);
sb.Append(string.Format("----X509ChainElementNumber:{0}", ++x509ChainElementCount) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.SubjectName.Name='{0}'", ce.Certificate.SubjectName.Name) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.Issuer='{0}'", ce.Certificate.Issuer) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.Thumbprint='{0}'", ce.Certificate.Thumbprint) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.HasPrivateKey='{0}'", ce.Certificate.HasPrivateKey) + System.Environment.NewLine);


X509Certificate2 cert2 = ce.Certificate as X509Certificate2;
ShowX509Certificate2(sb, cert2);


ShowX509Extensions(sb, cert2.Subject, ce.Certificate.Extensions);
}
}


private static void ShowX509Certificate(StringBuilder sb, X509Certificate cert)
{
sb.Append("-----------------------------------------------" + System.Environment.NewLine);
sb.Append(string.Format("Cert.Subject='{0}'", cert.Subject) + System.Environment.NewLine);
sb.Append(string.Format("Cert.Issuer='{0}'", cert.Issuer) + System.Environment.NewLine);


sb.Append(string.Format("Cert.GetPublicKey().Length='{0}'", cert.GetPublicKey().Length) + System.Environment.NewLine);


X509Certificate2 cert2 = cert as X509Certificate2;
ShowX509Certificate2(sb, cert2);
}
}
}
小开

也收到“无法创建 SSL/TLS 安全通道”错误。这是什么为我工作。 System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;

小开

对于.Net v4.0,我注意到,将 ServicePointManager.SecurityProtocol 的值设置为(SecurityProtocolType)3072,但是创建 HttpWebRequest 对象的 之前有所帮助。

小开

定义 SecurityProtocol 如下所示

SecurityProtocol = SecurityProtocolType. Tls12;

小开

来自@sameerfair

“对于.Net v4.0,我注意到,在创建 HttpWebRequest 对象之前,将 ServicePointManager. SecurityProtocol 的值设置为(SecurityProtocolType)3072有所帮助。”

上面的建议对我很有用。下面是我的代码行,对我很有用

var securedwebserviceurl="https://somedomain.com/service";
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
// Skip validation of SSL/TLS certificate
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
var httpWebRequest = (HttpWebRequest)WebRequest.Create(securedwebserviceurl);
httpWebRequest.ContentType = "application/json";
httpWebRequest.Method = "POST";
httpWebRequest.ProtocolVersion= HttpVersion.Version10;
var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();
using (var streamReader = new StreamReader(httpResponse.GetResponseStream())) {
string responseFromServer = streamReader.ReadToEnd();
}
小开

这对我很有效:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;
小开

这对我很有效:

ServicePointManager.ServerCertificateValidationCallback = (snder, cert, chain, error) => true;

如果它不工作,它可能与其他解决方案像这样:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = (snder, cert, chain, error) => true;
小开

不幸的是,上面提到的所有答案对我都不起作用。 下面列出的代码为我做了一个奇迹。如果它有助于某人。

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;

并且在创建 HttpWebRequest 之前必须设置这个值。

小开

当您的应用程序驻留的服务器只支持 Tls 1.2时,它会非常有用。在这种情况下,您需要删除旧的不安全协议,并只保留 Tls 1.2:

// Remove insecure protocols (SSL3, TLS 1.0, TLS 1.1)
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls11;


// Add TLS 1.2
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

提交答案