即使使用证书也无法创建SSL / TLS安全通道

时间:2016-01-12 14:22:04

标签: .net ssl ssl-certificate

我一直在研究需要将证书发送到Web服务进行身份验证的.Net客户端(4.5 Framework)。我已经阅读并尝试了一些建议,包括Cannot find the certificate in either the LocalMachine store or the CurrentUser store,这似乎与我的问题非常相似,但仍在接收" System.Net.WebException:请求已中止:无法创建SSL / TLS安全通道。 &#34 ;.我一直在我自己的用户帐户下的本地计算机上运行此程序,以及在同一商店中安装了相同证书但具有相同效果的Windows Server 2008 SP2。我还读到某个地方协议可以产生影响所以我也允许通过命令行参数进行配置以在TLS12,TLS11,TLS和SSL3之间切换都会产生相同的错误。

以下是我的代码的摘录,我确认我可以先找到证书

X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
Console.WriteLine("X509 Store: Root/LocalMachine");
store.Open(OpenFlags.ReadOnly | OpenFlags.IncludeArchived);
X509Certificate2 cert = null;
foreach (var c in store.Certificates)
{
    if (!string.IsNullOrEmpty(c.Thumbprint) && 
        c.Thumbprint.ToUpper().Equals(thumbprint))
    {
        cert = c;
        Console.WriteLine("!!! Found certificate !!!, Subject [{0}]", c.Subject);
        break;
    }
}

接下来是创建客户端和调用。

reqClient = new WebServiceClient("HTTPS_Port");
if (reqClient.ClientCredentials != null)
{
    reqClient.ClientCredentials.ClientCertificate.SetCertificate(
        StoreLocation.LocalMachine,
        StoreName.Root,
        X509FindType.FindByThumbprint,
        thumbprint);
    Console.WriteLine("Connecting with protocol [{0}] to [{1}] with certificate [{2}]",
        protocol,
        reqClient.Endpoint.Address,
        reqClient.ClientCredentials.ClientCertificate.Certificate.SubjectName.Name);
    reqClient.SubmitRequest(CreatePmResponseComplex());
    reqClient.Close();
}

配置......

<wsHttpBinding>
  <binding name="ServiceBinding1">
    <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
    </security>
  </binding>
</wsHttpBinding>                    

<endpoint address="https://www.url.com"
        binding="wsHttpBinding"
        bindingConfiguration="ServiceBinding1"
        contract="SubmitRequest"
        name="HTTPS_Port"/> 

最后这是来自跑步的tracelog ......

System.Net Verbose: 0 : [6620] Exiting HttpWebResponse#37251161::GetResponseStream()    -> ConnectStream#41421720
System.Net Information: 0 : [6620] TlsStream#66824994::.ctor(host=blahblah.com, #certs=1)
System.Net Information: 0 : [6620] Associating HttpWebRequest#60068066 with ConnectStream#64554036
System.Net Information: 0 : [6620] HttpWebRequest#60068066 - Request: GET /XISOAPAdapter/MessageServlet?senderParty=&amp;senderService=DWN_DEV_TAS_PIDX_RHINE_000&amp;receiverParty=&amp;receiverService=&amp;interface=PlannedMovement_PIDX_OB&amp;interfaceNamespace=urn%3Abp%3Axi%3Adwn%3Arm%3Apf%3Atasrhine%3Alogistics%3A100 HTTP/1.1

System.Net Information: 0 : [6620] ConnectStream#64554036 - Sending headers
{
Host: blahblah.com:6057
Connection: Keep-Alive
}.
System.Net Information: 0 : [6620] SecureChannel#61494432::.ctor(hostname=blahblah.com, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [6620] Enumerating security packages:
System.Net Information: 0 : [6620]     Negotiate
System.Net Information: 0 : [6620]     NegoExtender
System.Net Information: 0 : [6620]     Kerberos
System.Net Information: 0 : [6620]     NTLM
System.Net Information: 0 : [6620]     Schannel
System.Net Information: 0 : [6620]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [6620]     WDigest
System.Net Information: 0 : [6620]     TSSSP
System.Net Information: 0 : [6620]     pku2u
System.Net Information: 0 : [6620]     CREDSSP
System.Net Information: 0 : [6620] SecureChannel#61494432 - Attempting to restart the session using the user-provided certificate: [Version]
  V3

[Subject]
  CN=blahblah.com, O=Acme Inc., L=Uxbridge, S=NA, C=GB
  Simple Name: blahblah.com
  DNS Name: blahblah.com

[Issuer]
  CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
  Simple Name: Entrust Certification Authority - L1C
  DNS Name: Entrust Certification Authority - L1C

[Serial Number]
  4C228C32

[Not Before]
  3/31/2014 10:39:58 AM

[Not After]
  4/1/2016 5:00:11 AM

[Thumbprint]
  A501A402E2DD69F2A6EE93C84859F198B7D99045

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af d2 bf da 79 de 34 05 78 69 63 b3 2f f9 6f 90 ea d0 55 4d 6f 73 99 02 f9 e6 4a 53 17 81 02 dd 25 59 c8 f3 19 fa cf 6e ce a5 24 7d 5d 13 a4 22 b3 e8 91 06 2b a2 ee 2f e7 c8 51 63 10 e4 f2 3a 78 12 19 0c 60 65 c4 74 5e e7 49 1f 8e 28 cf 46 1d 4b 7a d8 95 23 96 1d 62 a0 c3 f....
System.Net Information: 0 : [6620] SecureChannel#61494432 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [6620] SecureChannel#61494432 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [6620] SecureChannel#61494432 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=blahblah.com, O=Acme Inc., L=Uxbridge, S=NA, C=GB
  Simple Name: blahblah.com
  DNS Name: blahblah.com

[Issuer]
  CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
  Simple Name: Entrust Certification Authority - L1C
  DNS Name: Entrust Certification Authority - L1C

[Serial Number]
  4C228C32

[Not Before]
  3/31/2014 10:39:58 AM

[Not After]
  4/1/2016 5:00:11 AM

[Thumbprint]
  A501A402E2DD69F2A6EE93C84859F198B7D99045

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af d2 bf da 79 de 34 05 78 69 63 b3 2f f9 6f 90 ea d0 55 4d 6f 73 99 02 f9 e6 4a 53 17 81 02 dd 25 59 c8 f3 19 fa cf 6e ce a5 24 7d 5d 13 a4 22 b3 e8 91 06 2b a2 ee 2f e7 c8 51 63 10 e4 f2 3a 78 12 19 0c 60 65 c4 74 5e e7 49 1f 8e 28 cf 46 1d 4b 7a d8 95 23 96 1d 62 a0 c3 f....
System.Net Information: 0 : [6620] SecureChannel#61494432 - Cannot find the certificate in either the LocalMachine store or the CurrentUser store.
System.Net Information: 0 : [6620] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [6620] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = blahblah.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [6620] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=127, returned code=ContinueNeeded).
System.Net Information: 0 : [6620] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 72a100:57ba210, targetName = blahblah.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [6620] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=AlgorithmMismatch).
System.Net Error: 0 : [6620] Exception in HttpWebRequest#60068066:: - The request was aborted: Could not create SSL/TLS secure channel..

我只是不了解程序如何找到证书,我在tracelog中看到它的引用,但它从不附加到请求。

1 个答案:

答案 0 :(得分:0)

程序通过以下方式从本地计算机商店附加证书:

reqClient.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.LocalMachine,
    StoreName.Root,
    X509FindType.FindByThumbprint,
    thumbprint);

我正在使用  StoreName.My 正如Richard指出的那样,用户需要访问该证书中的私钥。

technet: how give user permission to a certificate in local machine store

  1. 将证书注册到计算机商店
  2. 为服务在其下运行的用户助手分配私钥读取

要存档2。 当您在“个人”容器中获得证书后,右键单击证书,然后选择“所有任务”->“管理私钥”。您将看到私钥权限编辑器。向用户/网络服务帐户授予读取权限