在IIS 7.5中设置要求SSL,忽略/禁止客户端/服务器SSL证书

时间:2015-08-17 18:50:58

标签: iis ssl https iis-7

我创建了一个我希望能够使用智能卡访问的网站,因此我在网站上启用了SSL。当我远程登录到服务器并使用智能卡访问https端口上的站点时,一切正常。我收到提示并加载网站。但是,如果我尝试访问同一站点,使用客户端PC上的相同卡,则会收到403 Forbidden错误。 

Settings on the server(IIS 7.5) I have implemented or verified: 

1) Site is bound to specific port (not 443) with a type of https and a certificate that has a friendly name. 
2) SSL settings: Require SSL is checked, Require client certificates is selected (note: if I set it to accept, the site will load for the client but it never prompts for credentials) 
3) I have verified that when Require client certificates is set to accept, that the certificate it recognizes in the browser is the correct one (e.g. myserver.com) but as I said then I don't receive the prompt for credentials
4) Anonymous Authentication is enabled, all others disabled
5) applicationhost.config file set the following in location -> system.webserver -> security: 
     a) sslFlags = "Ssl, SslNegotiateCert, SslRequireCert"
     b) under authentication set iisClientCertificateMappingAuthentication to true
6) I have confirmed the necessary certificates exist in the Trusted Root and Personal folders for the Local Computer account. 


Settings for the client: 

1) I have confirmed the necessary certificates exist and match what the server has in the Trusted Root and Personal folders for the Local Computer account.
2) I have checked that the certificate chain in the browser does not show any errors going down the chain in both IE and Chrome

我创建了一个自签名证书,并将其添加到服务器和客户端上的所有证书存储中,并收到相同的行为。

使用OpenSSL我已经取得了以下成果:

openssl s_client -connect myserver.com -CAfile c:\certs\godaddy.pem  -servername myserver.com

Loading 'screen' into random state - done
CONNECTED(00000160) 
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go D
addy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http
://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G
2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.myserver.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.myserver.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.c
om/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.c
om/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certific
ate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
...29u1FZGXZnMUZCW5rlmZrkCAiBwDAB0/2t6BhyGh0JxydLWrRzJAZhW33KIem7IC...
-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/CN=*.myserver.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy
.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 2713 bytes and written 673 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: *** edited ***

    Session-ID-ctx:
    Master-Key: *** edited ***
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1439825381
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=10054

OpenSSL结果有一个部分说“没有发送客户端证书CA名称'在我添加-CAfile选项之前,我收到验证20错误无法获得本地颁发者证书。

更新OpenSSL结果:

想出如何使用调试功能,从我在这里看到的内容来看,只要我传入CAfile路径,它似乎正确地协商SSL并使用正确的证书。

openssl s_client -connect myserver.com:10168 -state -debug -CAfile c:\certs\godaddy.pem  -servername myserver

SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate 

Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.myserver.com
verify return:1

SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.myserver.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.c
om/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.c
om/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certific
ate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/CN=*.myserver.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy
.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 2713 bytes and written 643 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: ***

    Session-ID-ctx:
    Master-Key: ***
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1439919398
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read from 0x2dd5b0 [0x2f06d3] (5 bytes => -1 (0xFFFFFFFF))
read:errno=10054
write to 0x2dd5b0 [0x2f4c23] (37 bytes => -1 (0xFFFFFFFF))

其他openssl命令:

openssl s_client -connect yourip:443 -prexit

...在SO site here上找到的确证明,在可接受的证书列表中,名称是Go Daddy Class 2 Certification Authority CA;但是,我没有看到* .myserver.com。由于* .myserver.com链接到Go Daddy Class 2证书颁发机构CA,因此似乎可能是指示by this site here的正常流程。在我的本地PC和服务器上,Go Daddy证书存在于受信任的根文件夹和中间CA文件夹中。

更新 - netsh:

我也尝试过成功执行的netsh http add sslcert certhash= appid= clientcertnegotiation=enable,但没有取得任何成功。

更新到WIRESHARK INFO:

如果我在本地电脑上使用Wireshark查看专门针对服务器的流量(显示过滤器设置为搜索ip.addr或ssl),我根本看不到SSL生成的任何流量。没有客户端或服务器Hello或证书条目。我在前三个SYN,SYN / ACK和ACK数据包中验证了IP地址和端口是正确的值。

当我在服务器上运行Wireshark时,我看不到任何特定来自我的IP地址的SSL流量。但是,如果我直接在服务器上运行Wireshark和我的SSL网站,该网站确实解析,工作并提示输入凭据,但我发现证书id-at-commonName等于不同于我分配给网站的证书( * .myserver.com)这是* .vo.msecnd.net,根据我对微软的Baltimore Cyber​​Trust Root证书的研究而归属。

更新 - 修复证书

按照说明on this site修复证书并排除其有问题。我没有Entrust证书,但底层的说明也一样。

为什么我没有看到客户端Hello?如何解决缺少SSL握手问题?

我曾经尝试解决此问题的一些SO网站包括:

OpenSSL errno 10054,connection refused

OpenSSL: unable to get local issuer certificate

IIS 7.5 site with SSL fails, site without SSL works

决议:

看起来证书修复和设置clientcertnegotiation的组合起了作用,但只有在我重新启动服务器之后。

1 个答案:

答案 0 :(得分:1)

正确的步骤是:

  1. 正确设置IIS SSL绑定

  2. netsh http显示sslcert并复制值

  3. 使用> apply(df, 1, foo_wrapper) Error in record$frobozz : $ operator is invalid for atomic vectors

    4. 删除服务器SSL证书绑定

  4. 添加了netsh http delete sslcert

    5. 的服务器SSL证书绑定

  5. 已验证设置已应用netsh http add sslcert ipport=0.0.0.0:443 certhash=.... appid=.... sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable

  6. (仅限Windows 2012 R2)将netsh http show sslcert设置为1

相关问题
最新问题