httpClient.GetAsync抛出异常;证书配置被怀疑

Question

TL;DR version (somewhat)

我有两个尝试通信的服务器（ X 和 Y ），但未通过TLS1.2（TLS1）进行通信.1和TLS1.0都表现正常。）

我的服务器 X 无法获得localhost的回复。

抛出异常的调用是这行代码

HttpResponseMessage response = await httpClient.GetAsync(address, cancel);

其中地址为https://localhost/XXXXX/Identity/.well-known/jwks，取消为IsCancellationRequested = false

我注意到为https://localhost/XXXXX/Identity/.well-known/jwks呈现的服务器证书是有效的，使用RSA256签名，而不是在撤销列表等等，一切看起来都不错，但主题是* .testing .corp ，它与我尝试导航到的网址不匹配。当从服务器 X 上的Chrome导航到https://localhost/XXXXX/Identity/.well-known/jwks时会出现证书警告，但在手动点击后我会得到我期望的结果。

所以我的想法是，如果我可以覆盖HttpClient.GetAsync的证书验证，我应该能够做到这一点，所以我在我的客户端添加以下代码：

var handler = new WebRequestHandler();
httpClient = new HttpClient(handler);
handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(dumbvalidationdeletemeishouldnotbeversioned);

public static bool dumbvalidationdeletemeishouldnotbeversioned(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors err)
{
    return true;
}

有趣的一点是，当我走到GetAsync代码行时，一个步骤抛出异常而没有进行虚拟验证。

发生了什么事？为什么这种方法会失败？

更多背景：

编辑：相关， X 正在利用Identity Server尝试进行身份验证。尝试访问https://localhost/XXXXX/Identity/.well-known/jwks

时发生故障

我正在使用IISCrypto配置这些计算机上的协议。 （在评论中考虑@ Oleg＆＃39的建议并没有改变这种行为）。我通过点击＆＃34;最佳实践＆＃34;来配置它们。按钮，然后取消选中TLS1.0和TLS1.1，以便两个服务器看起来像这样：

编辑：添加一些堆栈跟踪信息

在我添加虚拟处理程序之前，这是抛出异常的堆栈跟踪：

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at XXXXXXXX.Authentication.Extensions.XXXXXXOpenIDConnectAuthentication.<ReadJWTKeys>d__8.MoveNext() 
   --- End of stack trace from previous location where exception was thrown ---         
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)         
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)         
   at XXXXXXX.Authentication.Extensions.XXXXXXOpenIDConnectAuthentication.<MessageRecieved>d__6.MoveNext()  
   --- End of stack trace from previous location where exception was thrown ---    
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)     
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)     
   at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__1a.MoveNext()

添加虚拟处理程序后，异常完全为空＆lt; - 请参阅注释。异常完全相同，但是当我调试过程时，我的虚拟处理程序中的return语句永远不会被命中，因此我的问题的关键变为＆＃34;还有什么可以检查？＆＃34;

Answer 1

应该添加

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

（来自System.Net名称空间） 调用

之前

await httpClient.GetAsync(address, cancel);

强制使用正确的协议。请参阅{{3}}，其中包含HttpClient和ServicePointManager.SecurityProtocol的详细实验。