由于 ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY,ASP.NET Core 3.0 应用程序无法在 Windows Server 2012 R2 上运行
Col*_*tie 13 c# https network-protocols windows-server-2012-r2 asp.net-core
我使用了一个可用的 ASP.NET Core 2.2 应用程序,将其升级到 3.0,突然该应用程序不再在 Windows Server 2012 中运行。它出现了以下内容:
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
铬合金:
火狐:
似乎在我不得不选择加入 HTTP/2 之前,现在它与 HTTP1.1 一起成为默认设置。这里有一个帖子,https://github.com/aspnet/AspNetCore/issues/14350但这完全令人困惑,没有真正的解决方案。
我尝试了各种启用/禁用不安全协议但无济于事。比如https://www.admin-enclave.com/de/articles-by-year/11-data-articles/website_articles/articles/exchange_articles/405-resolved-error-err_spdy_inadequate_transport_security-when-using-google-chome-和-owa.html
由于我认为更好的协议套件,在 Windows 10 上运行良好。但是在 Fiddler 中,我检查了与 Kestrel 谈判时的唯一区别是:
Windows Server 2012 R2:
[0A0A] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA9] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA8] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[009D] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
视窗 10:
[3A3A] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA9] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA8] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[009D] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
顶线是不同的,但仅此而已。不确定它是什么,它是一些GREASE价值。
程序.cs:
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(opts => {
opts.ListenAnyIP(5000);
opts.ListenAnyIP(5001, listenOpts => {
listenOpts.UseHttps(new HttpsConnectionAdapterOptions {
ServerCertificate = new X509Certificate2("certificate-server.pfx", "...")
});
});
opts.Limits.MaxRequestBodySize = null;
})
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>();
}
更新
感谢@chris-pratt,我似乎走在了正确的轨道上。更改证书密码以ECDSA_nistP256使 Web 应用程序工作。但不幸的是,我正在使用证书来签署 JWT 令牌,现在这被打破了:
System.NotSupportedException: 不支持证书密钥算法。在 System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
签名代码为:
var privateKey = new X509SecurityKey(new X509Certificate2("certificate-server.pfx", "..."));
var token = new JwtSecurityToken(
issuer: "Sentry",
claims: claims,
notBefore: DateTime.Now,
expires: DateTime.Now.AddDays(1),
signingCredentials: new SigningCredentials(privateKey, SecurityAlgorithms.RsaSha256Signature));
return new JwtSecurityTokenHandler().WriteToken(token);
我尝试更改SecurityAlgorithms枚举但没有成功。
Windows 2012 R2 不支持 HTTP/2 允许的密码套件。我假设从 Core 3.0 开始,默认启用 HTTP/2 协议。我通过在 kestrel 中禁用 HTTP/2 解决了我的问题,如下所示:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args).ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseKestrel(options =>
{
options.Listen(System.Net.IPAddress.Parse(DomainIp), 80);
options.Listen(System.Net.IPAddress.Parse(DomainIp), 443, l =>
{
l.UseHttps(
DomainCertificateFile,
DomainCertificatePassword);
l.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http1;
});
});
webBuilder.UseStaticWebAssets();
webBuilder.UseStartup<Startup>();
});