那些遇到过的问题

无法连接到仅使用临时密码套件的SSL服务器(无法联系本地安全机构)

sav*_*Bum 3 c# ssl sspi schannel

我正在尝试连接到以openssl开头的测试服务器(这个有限的密码组合是有意的):

openssl s_server -accept 443 -www -tls1_2 -cipher ECDHE:DHE:EDH -cert selfsignedcert.pem -key sskey.pem
Run Code Online (Sandbox Code Playgroud)

我使用的代码类似于msdn的代码 

public static bool ValidateServerCertificate(
      object sender,
      X509Certificate certificate,
      X509Chain chain,
      SslPolicyErrors sslPolicyErrors)
{
        return true;
}

...

var client = new TcpClient(target, port);
SslStream sslStream = new SslStream(client.GetStream(), false,ValidateServerCertificate,null);
sslStream.AuthenticateAsClient(target, null, SslProtocols.Tls12, false);
Run Code Online (Sandbox Code Playgroud)

但是我在最后一行得到一个例外:A call to SSPI failed, see inner exception.内部异常说:The Local Security Authority cannot be contacted.通过查看wireshark,我可以说TLS握手结束Server Hello, Certificate, Server Key Exchange, Server Hello Done并且选择的密码套件是TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f).

我可以使用Firefox访问该URL,但不能使用IE(它只是说"此页面无法显示"),因此它看起来像schannel问题.

当我用所有密码套件(-cipher ALL)启动服务器时,一切正常(IE和代码).有没有办法让它工作而不修改服务器的配置?

Stacktrace以防万一

    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
Run Code Online (Sandbox Code Playgroud)

我正在使用带有最新更新的Windows 8.1.

sav*_*Bum 6

我已设法使用Windows注册表设置schannel的最小密钥长度.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200
Run Code Online (Sandbox Code Playgroud)

但它不是理想的解决方案,因为它改变了整个系统的设置,我想暂时设置它,只在我的应用程序范围内.

归档时间:

查看次数:

10972 次

最近记录:

10 年,3 月 前
相关归档
加载自定义配置文件 115
C#如何检查URL是否存在/是否有效? 111
C#中的私有内部类 - 为什么不经常使用它们? 74
在代码中设置边距属性 73
ObservableCollection和Item PropertyChanged 47
从C#类型变量初始化通用变量 42
在.NET中有效地合并字符串数组,保持不同的值 39
就像在Lambda Expression和LINQ中一样 39
OS X 10.7上的"SSL错误代码-1/1/336032856"的握手失败 7
mitmproxy和ec2-api-tools 2
难疑归档
为什么处理排序数组比处理未排序数组更快? 23665
你如何获得JavaScript的时间戳? 3844
如何在特定索引(JavaScript)的数组中插入项? 2709
在git中推送提交时,src refspec master与any不匹配 2472
如何在不重新加载页面的情况下修改URL? 2221
如何让Git忽略文件模式(chmod)的变化? 2188
如何格式化JavaScript日期 1945
Node.js module.exports的目的是什么,你如何使用它? 1397
虚拟成员在构造函数中调用 1270
从Docker容器内部,如何连接到本机的本地主机? 1176