HttpWebRequest :: GetResponse-请求已中止:无法创建SSL / TLS安全通道
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了HttpWebRequest :: GetResponse-请求已中止:无法创建SSL / TLS安全通道相关的知识,希望对你有一定的参考价值。
请阅读下面的全文。我尝试了所有解决此问题的常用方法。
因此,我运行的.Net 4.5应用程序一直在很长时间内从URL提取数据。但是它突然开始因上述错误而失败:
HttpWebRequest#687191 :: GetResponse-请求被中止:可以 无法创建SSL / TLS安全通道。.
这是示例C#代码,通过它我可以重现错误:
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
ServicePointManager.DefaultConnectionLimit = 9999;
ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
return (true);
;
var authHeaderValue = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(string.Format("0:1", "username", "password")));
var request = (HttpWebRequest) HttpWebRequest.Create("url-here");
request.Method = "GET";
request.Headers.Add("Authorization: Basic " + authHeaderValue);
using (HttpWebResponse response = (HttpWebResponse) request.GetResponse())
Stream dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
var s = reader.ReadToEnd();
reader.Close();
dataStream.Close();
Console.WriteLine(s);
如您所见,上面已经尝试了在ServicePointManager上设置值/忽略证书错误的所有常见解决方案。我仍然收到错误消息,甚至没有命中ServerCertificateValidationCallback。
[我将Fiddler用于HTTPS解密,而Fiddler却给了我这个错误:
System.Security.Authentication.AuthenticationException:对 SSPI失败,请参阅内部异常。 ----> System.ComponentModel.Win32Exception:收到的消息意外或格式错误
我去了跟踪(https://stackoverflow.com/a/12327881/12484),这是跟踪文件的输出:
System.Net Information: 0 : [13160] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [13160] WebRequest::Create(url-here)
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::HttpWebRequest(url-here)
System.Net Information: 0 : [13160] RAS supported: True
System.Net Verbose: 0 : [13160] Exiting HttpWebRequest#687191::HttpWebRequest()
System.Net Verbose: 0 : [13160] Exiting WebRequest::Create() -> HttpWebRequest#687191
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::GetResponse()
System.Net Verbose: 0 : [13160] ServicePoint#49385318::ServicePoint(domain-here:443)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ServicePoint#49385318
System.Net Information: 0 : [13160] Associating Connection#7746814 with HttpWebRequest#687191
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Socket(AddressFamily#2)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Socket()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Socket(AddressFamily#23)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Socket()
System.Net.Sockets Verbose: 0 : [13160] DNS::TryInternalResolve(domain-here)
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Connect(server-ip-here:443#1466373584)
System.Net.Sockets Information: 0 : [13160] Socket#13062350 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Connect()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Close()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Dispose()
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Close()
System.Net Information: 0 : [13160] Connection#7746814 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net Information: 0 : [13160] TlsStream#10366524::.ctor(host=domain-here, #certs=0)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ConnectStream#63840421
System.Net Information: 0 : [13160] HttpWebRequest#687191 - Request: GET relative-url-here HTTP/1.1
System.Net Information: 0 : [13160] ConnectStream#63840421 - Sending headers
Authorization: Basic credentials-here
Host: domain-here
Connection: Keep-Alive
.
System.Net Information: 0 : [13160] SecureChannel#54246671::.ctor(hostname=domain-here, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [13160] Enumerating security packages:
System.Net Information: 0 : [13160] Negotiate
System.Net Information: 0 : [13160] NegoExtender
System.Net Information: 0 : [13160] Kerberos
System.Net Information: 0 : [13160] NTLM
System.Net Information: 0 : [13160] Schannel
System.Net Information: 0 : [13160] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [13160] WDigest
System.Net Information: 0 : [13160] TSSSP
System.Net Information: 0 : [13160] pku2u
System.Net Information: 0 : [13160] CREDSSP
System.Net Information: 0 : [13160] SecureChannel#54246671 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [13160] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=184, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Send()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Send
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 16 03 03 00 B3 01 00 00-AF 03 03 5E D9 42 A7 54 : ...........^.B.T
System.Net.Sockets Verbose: 0 : [13160] 00000010 : CD 34 00 7C 31 C9 2F 75-E7 DE A6 9E E8 D7 B5 74 : .4.|1./u.......t
System.Net.Sockets Verbose: 0 : [13160] 00000020 : 3C CB 7E B3 84 D8 1A 22-69 79 B3 00 00 38 C0 28 : <.~...."iy...8.(
System.Net.Sockets Verbose: 0 : [13160] 00000030 : C0 27 C0 14 C0 13 00 9F-00 9E 00 39 00 33 00 9D : .'.........9.3..
System.Net.Sockets Verbose: 0 : [13160] 00000040 : 00 9C 00 3D 00 3C 00 35-00 2F C0 2C C0 2B C0 24 : ...=.<.5./.,.+.$
System.Net.Sockets Verbose: 0 : [13160] 00000050 : C0 23 C0 0A C0 09 00 6A-00 40 00 38 00 32 00 0A : .#.....j.@.8.2..
System.Net.Sockets Verbose: 0 : [13160] 00000060 : 00 13 00 05 00 04 01 00-00 4E 00 00 00 19 00 17 : .........N......
System.Net.Sockets Verbose: 0 : [13160] 00000070 : 00 00 14 61 6D 61 74 72-61 76 65 6C 2E 74 73 74 : ...domain-here
System.Net.Sockets Verbose: 0 : [13160] 00000080 : 6C 6C 63 2E 6E 65 74 00-0A 00 06 00 04 00 17 00 : domain-here.........
System.Net.Sockets Verbose: 0 : [13160] 00000090 : 18 00 0B 00 02 01 00 00-0D 00 14 00 12 06 01 06 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000A0 : 03 04 01 05 01 02 01 04-03 05 03 02 03 02 02 00 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000B0 : 17 00 00 FF 01 00 01 00- : ........
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Send() -> Int32#184
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 15 03 03 00 02 : .....
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive() -> Int32#5
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000005 : 02 28 : .(
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive() -> Int32#2
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 51ccc0:5827200, targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Dispose()
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
我替换了上面跟踪中的服务器和客户端敏感信息(任何以-here结尾的信息,但其他跟踪信息未损坏。
我仍然无法弄清楚跟踪中出了什么问题以及为什么这个URL(使用HTTPS)无法用我的.Net代码打开。
有人可以帮我解决这个问题吗?
调试信息包含客户端通过TLS握手发送的ClientHello。基于此,服务器是amatravel.tstllc.net
,其中according to SSLLabs支持以下很少的密码:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH x25519 (eq. 3072 bits RSA) FS 256
[所有这些密码均以TLS_ECDHE_RSA_
开头,即具有ECDHE密钥交换的RSA证书。但是对ClientHello进行解码表明,客户端仅宣布支持以下密码:
Cipher Suites (28 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
快速查看将发现以TLS_ECDHE_RSA_
开头的4个密码均与服务器支持的密码都不匹配。因此,由于没有共享密码,握手将失败。
但是突然开始失败...
假设您的应用程序未进行任何更改,则可能已对服务器进行了更改。服务器支持的密码集非常小,因此也许有人试图加固服务器,却没有意识到某些客户端不支持这几种密码中的任何一种。
但是您的客户支持的密码集也很奇怪。虽然您支持TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,但不支持TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,即相同的密码,但用于RSA证书而不是ECC证书。服务器实际上将支持后一种密码。
以上是关于HttpWebRequest :: GetResponse-请求已中止:无法创建SSL / TLS安全通道的主要内容,如果未能解决你的问题,请参考以下文章