什么可能导致System.Net错误:AcquireCredentialsHandle()失败,错误0X8009030D?

时间:2018-05-24 11:47:36

标签: c# ssl x509certificate dotnet-httpclient tls1.2

我有一个简单的https连接代码,可以很好地与一个ssl主机连接,即使根证书颁发机构不受信任也是连接的(这是一个沙盒环境,所以我们不担心这会产生的安全漏洞,因为现在),并使用Nuget包OpenSSL.X509Certificate2Provider

从文本文件加载证书和密钥 
    public async Task<string> Register()
    {
        ServicePointManager.Expect100Continue = true;
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
        ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;

        using (var handler = new HttpClientHandler())
        {
            var rawcert = File.ReadAllText(@"C:\OpenSSL\bin\certTransport.pem");
            var rawkey = File.ReadAllText(@"C:\OpenSSL\bin\privateKeyTransport.key");

            var provider = new CertificateFromFileProvider(rawcert, rawkey);
            var cert = provider.Certificate;
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            handler.ServerCertificateCustomValidationCallback +=
                (HttpRequestMessage req, X509Certificate2 cert2, X509Chain chain, SslPolicyErrors err) =>
                {
                    return true;
                };

            handler.ClientCertificates.Add(cert);

            using (var client = new HttpClient(handler))
            {
                client.BaseAddress = new Uri("https://{uri}/");
                var response = await client.GetStringAsync("register");
                return response;
            }
        }
    }

当我将此代码指向另一台主机时,应以完全相同的方式保护,我收到以下错误: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

挖掘日志,我发现: System.Net Information: 0 : [35036] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential) System.Net Error: 0 : [35036] AcquireCredentialsHandle() failed with error 0X8009030D.

为此搜索堆栈,我发现许多与证书存储权限相关的错误,但是这种情况下的客户端证书未从商店加载。

我还发现许多与SecurityProtocolType有关的问题。我已经验证服务器正在使用Tls1.2(仅限)。

我正在使用Win10 x64上的管理权限运行的VS 2017 Enterprise中的单元测试中调用代码。该代码包含在.Net 4.7类库中,不包含在IIS中。

可能导致此问题的原因是什么?

更新 按照下面的@Jeroen Mostert的有用评论,我尝试了与OpenSSL的基本连接测试。略有匿名的结果:

OpenSSL> s_client -connect {REMOVED}:443 -CAfile C:\OpenSSL\bin\archive-ii\transport-production-new\certTransport.pem
CONNECTED(000001F0)
depth=2 C = GB, O = OK, CN = {REMOVED} Root CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=GB/O={REMOVED}/OU={REMOVED}/CN={REMOVED}
i:/C=GB/O={REMOVED}/CN={REMOVED} Issuing CA
1 s:/C=GB/O={REMOVED}/CN={REMOVED} Issuing CA
i:/C=GB/O={REMOVED}/CN={REMOVED} Root CA
2 s:/C=GB/O={REMOVED}/CN={REMOVED} Root CA
i:/C=GB/O={REMOVED}/CN={REMOVED} Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
{REMOVED}
-----END CERTIFICATE-----
subject=/C=GB/O={REMOVED}/OU={REMOVED}/CN={REMOVED}
issuer=/C=GB/O={REMOVED}/CN={REMOVED} Issuing CA
---
Acceptable client certificate CA names
/C=GB/O={REMOVED}/CN={REMOVED} Issuing CA
/C=GB/O={REMOVED}/CN={REMOVED} Root CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:     RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5155 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: {REMOVED}
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1527164830
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

那里有什么不妥吗?

我还查看了CAPI2日志(如评论中所示)。这显示与根证书不相信的错误,如下所示: enter image description here

这是否意味着我的验证回调不起作用 - 如果是的话,任何想法都会出现这种情况?

进一步更新:

如果我删除了附加证书的代码行,那么错误就会消失 - 我会通过MTLS测试终端(但当然,在那里进行的MTLS测试失败了。)

这表明了什么?证书本身有问题吗?

1 个答案:

答案 0 :(得分:0)

最后的问题是CertificateFromFileProvider NuGet包的OpenSSL.X509Certificate2Provider方法的输出。

由于任何原因,创建的证书将无法正常工作。取相同的输入文件并用OpenSSL生成.pfx会导致X509Certificate2正常工作。

相关问题
最新问题