我在SO上看到的关于这个主题的类似问题很少,但似乎没有一个答案确实有助于解决它。
我需要通过证书身份验证来访问客户网络服务。在提示时选择正确的证书后,使用SoapUI和chrome可以正常工作。但我无法通过IE,WCF客户端,而不是我自己的服务,也无法使用WcfTestClient。 操作系统是Windows服务器2012 R2,协议TLS 1.2
我一直在调查事件,tracelogs,也花了很长时间分析wireshark捕获,但我被卡住了。这就是我所拥有的
事件记录:
生成致命警报并将其发送到远程端点。这可能导致连接终止。 TLS协议定义的致命错误代码为10. Windows SChannel错误状态为12。
跟踪日志:
我将省略非有趣的部分并仅显示相关部分。
System.Net Information: 0 : [12208] Connection#11144211 - Created connection
from 192.168.3.13:53514 to 145.119.167.109:443.
System.Net Information: 0 : [12208] TlsStream#3957675::.ctor(host=aaa.bbb.eu, #certs=1)
System.Net Information: 0 : [12208] Associating HttpWebRequest#37368736 with ConnectStream#35619075
.
.
.
System.Net Information: 0 : [12208]
SecureChannel#52136226::.ctor(hostname=aaa.bbb.eu, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [12208] Enumerating security packages:
System.Net Information: 0 : [12208] Negotiate
System.Net Information: 0 : [12208] NegoExtender
System.Net Information: 0 : [12208] Kerberos
System.Net Information: 0 : [12208] NTLM
System.Net Information: 0 : [12208] TSSSP
System.Net Information: 0 : [12208] pku2u
System.Net Information: 0 : [12208] WDigest
System.Net Information: 0 : [12208] Schannel
System.Net Information: 0 : [12208] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [12208] CREDSSP
System.Net Information: 0 : [12208] SecureChannel#52136226 - Attempting to restart the session using the user-provided certificate: [HERE GOES DATA ABOUT CERTIFICATE]
.
.
.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Locating the private key for the certificate: [HERE GOES DATA ABOUT CERTIFICATE]
.
.
.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12208] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=161, returned code=ContinueNeeded).
然后是一些收到的消息,带
System.Net.Sockets Verbose: 0 : [12208] Exiting Socket#33189039::Receive() -> Int32#2516
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = cb00f8:7980678, targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [12208] Socket#33189039::Receive()
System.Net.Sockets Verbose: 0 : [12208] Data from Socket#33189039::Receive
System.Net.Sockets Verbose: 0 : [12208] Exiting Socket#33189039::Receive() -> Int32#2839
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = cb00f8:7980678, targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [12208] Socket#33189039::Dispose()
System.Net Error: 0 : [12208] Exception in HttpWebRequest#37368736:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [12208] Exception in HttpWebRequest#37368736::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
所以,显然,我有足够的权利成功阅读和使用提供的客户端证书(这对Chrome和SoapUI来说很好)。 通过Wireshark检查网络流时,会出现Client Hello和Server Hello,然后是Certificate和Server Key Exchange消息。然后很多可能没有正确解码来自服务器的数据包(由Wireshark标记为加密握手消息,从内容看起来像一些证书),最后来自我的客户端的ACK RST数据包。
任何可能导致这种情况的想法都将受到高度赞赏。
编辑:添加了客户端代码和配置
客户代码:
ServicePointManager.SetTcpKeepAlive(true, 10000, 1000);
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
try
{
client = new IncidentBrokerPortTypeClient("gms_endpoint");
client.EchoRequest(new EchoRequest());
}
catch (Exception ex)
{
MessageBox.Show(ex.Message + Environment.NewLine + ex.InnerException);
}
配置:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<system.serviceModel>
<bindings>
<basicHttpsBinding>
<binding name="HttpsBasicBinding">
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpsBinding>
</bindings>
<client>
<endpoint
name ="gms_endpoint"
address="https://aaa.bbb.eu/"
binding="basicHttpsBinding"
bindingConfiguration="HttpsBasicBinding"
contract="SomeNamespace.IncidentBrokerPortType"
behaviorConfiguration="GmsBehavior"
/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="GmsBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindByThumbprint"
findValue="5c1dd5c93d1854cb2d698451e1d2a78a3d94dcb0"
storeLocation="LocalMachine"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
答案 0 :(得分:0)
也许在客户端配置中添加诊断功能会有所帮助,如下所示:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<!--diagnostics traces will be found in Web_messages.svclog file and Web_tracelog.svclog file-->
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
<source name="System.ServiceModel" switchValue="Warning,ActivityTracing"
propagateActivity="true">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelTraceListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="Web_messages.svclog" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
<add initializeData="Web_tracelog.svclog" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
<system.serviceModel>
<!--Enable diagnostics to record wcf communication-->
<diagnostics wmiProviderEnabled="true">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<basicHttpsBinding>
<binding name="HttpsBasicBinding">
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpsBinding>
</bindings>
<client>
<endpoint
name ="gms_endpoint"
address="https://aaa.bbb.eu/"
binding="basicHttpsBinding"
bindingConfiguration="HttpsBasicBinding"
contract="SomeNamespace.IncidentBrokerPortType"
behaviorConfiguration="GmsBehavior"
/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="GmsBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindByThumbprint"
findValue="5c1dd5c93d1854cb2d698451e1d2a78a3d94dcb0"
storeLocation="LocalMachine"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
答案 1 :(得分:0)
我们遇到了一个问题,该问题导致在堆栈跟踪末尾出现相同的IllegalMessage。对我们来说,事实证明,我们的域上有一个组策略更新,它禁用了较早和较弱的SSL和TLS协议。默认情况下,未启用更强的加密,从而导致握手失败。我们的解决方法是将两个条目添加到报告错误的服务器的注册表中:
Windows注册表编辑器5.00版
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ .NETFramework \ v4.0.30319] “ SchUseStrongCrypto” = dword:00000001
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ .NETFramework \ v4.0.30319] “ SchUseStrongCrypto” = dword:00000001