Question

我有一个自托管的REST API，其中包含一个托管在W2008R2上的自签名证书。使用此代码从W7调用此api是完美的。

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertficate;


var request = (HttpWebRequest)WebRequest.Create(url);
request.Method = verb;
request.ContentType = "application/json";
request.Headers.Add("PlatformId", platformId);

if (bytes != null)
{
    using (var requestStream = request.GetRequestStream())
    {
        requestStream.Write(bytes, 0, bytes.Length);
        requestStream.Flush();
    }
}

var response = request.GetResponse();

使用来自任何W10的Chrome的REST API客户端插件调用api也可以。

但是，从任何W10 调用（使用完全相同的客户端代码）都会失败。

我在两台客户端计算机上激活了跟踪。从工作的W7客户端机器：

System.Net Information: 0 : [10748] Connection#10366524 - Conexión desde 192.168.2.100:57610 a xx.xx.xx.xx:9095 creada.
System.Net Information: 0 : [10748] TlsStream#25181126::.ctor(host=xx.xx.xx.xx, #certs=0)
System.Net Information: 0 : [10748] Associating HttpWebRequest#7746814 with ConnectStream#59408853
System.Net Information: 0 : [10748] HttpWebRequest#7746814 - Request: GET /AvelonRMSExternalPlatformRestService/Countries HTTP/1.1

System.Net Information: 0 : [10748] ConnectStream#59408853 - Enviando encabezados
{
Content-Type: application/json
PlatformId: 03986D31-4F8A-4527-8AF5-A40030B4A4E8
Host: xx.xx.xx.xx:9095
Connection: Keep-Alive
}.
System.Net Information: 0 : [10748] SecureChannel#56152722::.ctor(hostname=xx.xx.xx.xx, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [10748] Enumerando paquetes de seguridad:
System.Net Information: 0 : [10748]     Negotiate
System.Net Information: 0 : [10748]     NegoExtender
System.Net Information: 0 : [10748]     Kerberos
System.Net Information: 0 : [10748]     NTLM
System.Net Information: 0 : [10748]     Schannel
System.Net Information: 0 : [10748]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [10748]     WDigest
System.Net Information: 0 : [10748]     TSSSP
System.Net Information: 0 : [10748]     pku2u
System.Net Information: 0 : [10748]     MSOIDSSP
System.Net Information: 0 : [10748]     CREDSSP
System.Net Information: 0 : [10748] SecureChannel#56152722 - Con 0 certificados de cliente entre los que elegir.
System.Net Information: 0 : [10748] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [10748] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = xx.xx.xx.xx, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [10748] InitializeSecurityContext(Longitud de In-Buffer=0, Longitud de Out-Buffer=149, código devuelto=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [10748] Socket#63840421::Send()
System.Net.Sockets Verbose: 0 : [10748] Data from Socket#63840421::Send
System.Net.Sockets Verbose: 0 : [10748] 00000000 : 16 03 03 00 90 01 00 00-8C 03 03 56 BA F6 5A E2 : ...........V..Z.
System.Net.Sockets Verbose: 0 : [10748] 00000010 : 76 DE 3D 52 7E CF 87 55-C2 40 E5 27 D1 31 E2 B7 : v.=R~..U.@.'.1..
System.Net.Sockets Verbose: 0 : [10748] 00000020 : 00 74 13 AA 2B 18 33 E4-F5 A5 E0 00 00 34 C0 28 : .t..+.3......4.(
System.Net.Sockets Verbose: 0 : [10748] 00000030 : C0 27 C0 14 C0 13 00 9F-00 9E 00 9D 00 9C C0 2C : .'.............,
System.Net.Sockets Verbose: 0 : [10748] 00000040 : C0 2B C0 24 C0 23 C0 0A-C0 09 00 3D 00 3C 00 35 : .+.$.#.....=.<.5
System.Net.Sockets Verbose: 0 : [10748] 00000050 : 00 2F 00 6A 00 40 00 38-00 32 00 0A 00 13 00 05 : ./.j.@.8.2......
System.Net.Sockets Verbose: 0 : [10748] 00000060 : 00 04 01 00 00 2F 00 0A-00 08 00 06 00 17 00 18 : ...../..........
System.Net.Sockets Verbose: 0 : [10748] 00000070 : 00 19 00 0B 00 02 01 00-00 0D 00 14 00 12 06 01 : ................
System.Net.Sockets Verbose: 0 : [10748] 00000080 : 06 03 04 01 05 01 02 01-04 03 05 03 02 03 02 02 : ................
System.Net.Sockets Verbose: 0 : [10748] 00000090 : FF 01 00 01 00                                  : .....
System.Net.Sockets Verbose: 0 : [10748] Exiting Socket#63840421::Send()     -> Int32#149
System.Net.Sockets Verbose: 0 : [10748] Socket#63840421::Receive()
System.Net.Sockets Verbose: 0 : [10748] Data from Socket#63840421::Receive
System.Net.Sockets Verbose: 0 : [10748] 00000000 : 16 03 03 0A BC                                  : .....
System.Net.Sockets Verbose: 0 : [10748] Exiting Socket#63840421::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [10748] Socket#63840421::Receive()
System.Net.Sockets Verbose: 0 : [10748] Data from Socket#63840421::Receive
System.Net.Sockets Verbose: 0 : [10748] 00000005 : 02 00 00 4D 03 03 56 BA-F6 8B EB 92 55 E1 4E A7 : ...M..V.....U.N.
System.Net.Sockets Verbose: 0 : [10748] 00000015 : 04 9A DB 53 EC 79 D6 72-65 5D 6E E3 0C 00 7D 37 : ...S.y.re]n...}7
System.Net.Sockets Verbose: 0 : [10748] 00000025 : 18 DD 26 D3 2D 05 20 09-11 00 00 F3 5B 63 C1 EC : ..&.-. .....[c..
[DELETED LINES OF DATA]
System.Net.Sockets Verbose: 0 : [10748] 00000AC0 : 00                                              : .
System.Net.Sockets Verbose: 0 : [10748] Exiting Socket#63840421::Receive()  -> Int32#1393
System.Net Information: 0 : [10748] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 845ab0:4f91430, targetName = xx.xx.xx.xx, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [10748] InitializeSecurityContext(Número de In-Buffers=2, Longitud de Out-Buffer=0, código devuelto=CredentialsNeeded).
System.Net Information: 0 : [10748] SecureChannel#56152722 - Con 0 certificados de cliente entre los que elegir.
System.Net Information: 0 : [10748] Utilizando el identificador de credencial almacenado en caché.
System.Net Information: 0 : [10748] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 845ab0:4f91430, targetName = xx.xx.xx.xx, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [10748] InitializeSecurityContext(Número de In-Buffers=2, Longitud de Out-Buffer=173, código devuelto=ContinueNeeded).
[DELETED REST OF LOG]

从失败的W10客户端计算机：

System.Net Information: 0 : [7852] Connection#31523018 - Conexión desde 192.168.1.35:53781 a xx.xx.xx.xx:9095 creada.
System.Net Information: 0 : [7852] TlsStream#15586314::.ctor(host=xx.xx.xx.xx, #certs=0)
System.Net Information: 0 : [7852] Associating HttpWebRequest#62955487 with ConnectStream#35059110
System.Net Information: 0 : [7852] HttpWebRequest#62955487 - Request: GET /AvelonRMSExternalPlatformRestService/Countries HTTP/1.1

System.Net Information: 0 : [7852] ConnectStream#35059110 - Enviando encabezados
{
Content-Type: application/json
PlatformId: 03986D31-4F8A-4527-8AF5-A40030B4A4E8
Host: xx.xx.xx.xx:9095
Connection: Keep-Alive
}.
System.Net Information: 0 : [7852] SecureChannel#28137373::.ctor(hostname=xx.xx.xx.xx, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [7852] Enumerando paquetes de seguridad:
System.Net Information: 0 : [7852]     Negotiate
System.Net Information: 0 : [7852]     NegoExtender
System.Net Information: 0 : [7852]     Kerberos
System.Net Information: 0 : [7852]     NTLM
System.Net Information: 0 : [7852]     TSSSP
System.Net Information: 0 : [7852]     pku2u
System.Net Information: 0 : [7852]     WDigest
System.Net Information: 0 : [7852]     Schannel
System.Net Information: 0 : [7852]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [7852]     CloudAP
System.Net Information: 0 : [7852]     CREDSSP
System.Net Information: 0 : [7852] SecureChannel#28137373 - Con 0 certificados de cliente entre los que elegir.
System.Net Information: 0 : [7852] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [7852] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = xx.xx.xx.xx, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7852] InitializeSecurityContext(Longitud de In-Buffer=0, Longitud de Out-Buffer=155, código devuelto=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [7852] Socket#17375337::Send()
System.Net.Sockets Verbose: 0 : [7852] Data from Socket#17375337::Send
System.Net.Sockets Verbose: 0 : [7852] 00000000 : 16 03 03 00 96 01 00 00-92 03 03 56 BA F5 B5 96 : ...........V....
System.Net.Sockets Verbose: 0 : [7852] 00000010 : 5D 49 B9 74 F0 A9 25 16-80 FD 00 2F 53 A6 F1 10 : ]I.t..%..../S...
System.Net.Sockets Verbose: 0 : [7852] 00000020 : 92 E0 5B 60 A8 6C C2 CF-26 C3 80 00 00 38 C0 30 : ..[`.l..&....8.0
System.Net.Sockets Verbose: 0 : [7852] 00000030 : C0 2F C0 28 C0 27 C0 14-C0 13 00 9F 00 9E 00 9D : ./.(.'..........
System.Net.Sockets Verbose: 0 : [7852] 00000040 : 00 9C 00 3D 00 3C 00 35-00 2F C0 2C C0 2B C0 24 : ...=.<.5./.,.+.$
System.Net.Sockets Verbose: 0 : [7852] 00000050 : C0 23 C0 0A C0 09 00 6A-00 40 00 38 00 32 00 0A : .#.....j.@.8.2..
System.Net.Sockets Verbose: 0 : [7852] 00000060 : 00 13 00 05 00 04 01 00-00 31 00 0A 00 06 00 04 : .........1......
System.Net.Sockets Verbose: 0 : [7852] 00000070 : 00 17 00 18 00 0B 00 02-01 00 00 0D 00 14 00 12 : ................
System.Net.Sockets Verbose: 0 : [7852] 00000080 : 04 01 05 01 02 01 04 03-05 03 02 03 02 02 06 01 : ................
System.Net.Sockets Verbose: 0 : [7852] 00000090 : 06 03 00 23 00 00 FF 01-00 01 00                : ...#.......
System.Net.Sockets Verbose: 0 : [7852] Exiting Socket#17375337::Send()  -> Int32#155
System.Net.Sockets Verbose: 0 : [7852] Socket#17375337::Receive()
System.Net.Sockets Verbose: 0 : [7852] Data from Socket#17375337::Receive
System.Net.Sockets Verbose: 0 : [7852] 00000000 : 16 03 03 0A BC                                  : .....
System.Net.Sockets Verbose: 0 : [7852] Exiting Socket#17375337::Receive()   -> Int32#5
System.Net.Sockets Verbose: 0 : [7852] Socket#17375337::Receive()
System.Net.Sockets Verbose: 0 : [7852] Data from Socket#17375337::Receive
System.Net.Sockets Verbose: 0 : [7852] 00000005 : 02 00 00 4D 03 03 56 BA-F5 B7 5B 2C B9 AF C3 88 : ...M..V...[,....
System.Net.Sockets Verbose: 0 : [7852] 00000015 : 63 FA 0E EA CF A1 B4 E8-29 E4 8F 3A 51 06 0C 16 : c.......)..:Q...
System.Net.Sockets Verbose: 0 : [7852] 00000025 : F6 B6 A8 5A 0D 24 20 0B-03 00 00 3E 87 1B B9 B9 : ...Z.$ ....>....
[DELETED LINES OF DATA]
System.Net.Sockets Verbose: 0 : [7852] 00000AC0 : 00                                              : .
System.Net.Sockets Verbose: 0 : [7852] Exiting Socket#17375337::Receive()   -> Int32#1313
System.Net Information: 0 : [7852] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fab233c920:e654e74680, targetName = xx.xx.xx.xx, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [7852] InitializeSecurityContext(Número de In-Buffers=2, Longitud de Out-Buffer=0, código devuelto=InternalError).
System.Net.Sockets Verbose: 0 : [7852] Socket#17375337::Dispose()
System.Net Error: 0 : [7852] Excepción en HttpWebRequest#62955487:: - Anulada la solicitud: No se puede crear un canal seguro SSL/TLS..
System.Net Error: 0 : [7852] Excepción en HttpWebRequest#62955487::GetResponse - Anulada la solicitud: No se puede crear un canal seguro SSL/TLS..
[NO MORE LOGGING AVAILABLE]

ClientHello和ServerHello完成，但是在W10上，对 InitializeSecurityContext 的第二次调用因内部错误而失败，其中工作的W7机器 CredentialsNeeded 是返回：

InitializeSecurityContext(Número de In-Buffers=2, Longitud de Out-Buffer=0, código devuelto=InternalError).

在Windows事件日志中，我看到以下内容：

TLS协议定义的致命错误代码为40. Windows SChannel错误状态为813

似乎W10握手失败。

我不知道如何从这里开始。有谁遇到过这个问题？是否可以进行额外的记录？

我已经尝试过的事情：

我使用.NET 4.5.2在服务器和客户端上工作。我在.NET 4下尝试了客户端
我试图强迫Tls 1.0和Tls 1.1
我尝试使用管理员权限运行客户端应用。
我更新了（Windows更新）两个系统。

W2012R2服务器上完全相同的设置可以从W10正常工作。问题是当我在2008R2服务器上托管时。

先谢谢，华金

Answer 1

终于找出了问题所在。我使用了自签名的SHA265证书，密钥长度为512位。似乎W10不再支持那么短的键长。我生成了一个2048位密钥长度的新证书，一切都开始工作了。

通过https在W2008R2上托管的wcf rest api来自W7，但不是来自W10

1 个答案: