为啥红隼一直抛出这个调试 ssl 异常?

Posted

技术标签:

【中文标题】为啥红隼一直抛出这个调试 ssl 异常?【英文标题】:Why does kestrel keep throwing this debug ssl exception?为什么红隼一直抛出这个调试 ssl 异常? 【发布时间】:2020-01-02 17:44:25 【问题描述】:

我有一个 Service Fabric 设置,我有一个在端口 443 上注册并使用 https 的微服务。我的集群设置中有一个反向代理。反向代理由证书保护。

我在启动微服务时也使用相同的证书:

 new ServiceInstanceListener(serviceContext =>
                new KestrelCommunicationListener(serviceContext, "EndpointHttps", (url, listener) =>
                
                    ServiceEventSource.Current.ServiceMessage(serviceContext, $"Starting Kestrel on url");

                    return new WebHostBuilder()
                                .UseKestrel(x =>
                                
                                    int port = serviceContext.CodePackageActivationContext.GetEndpoint("EndpointHttps").Port;
                                    x.Listen(IPAddress.IPv6Any, port, listenOptions =>
                                    
                                        listenOptions.UseHttps(transportCertificate);
                                        listenOptions.NoDelay = true;
                                    );
                                )
                                .ConfigureServices(
                                    services => services
                                        .AddSingleton<StatelessServiceContext>(serviceContext))
                                .UseContentRoot(Directory.GetCurrentDirectory())
                                .UseEnvironment(environment)
                                .UseStartup<Startup>()
                                .UseServiceFabricIntegration(listener, ServiceFabricIntegrationOptions.None)
                                .UseUrls(url)
                                .UseSerilog(Logger.Serilog)
                                .Build();
                ))
        ;

似乎一切正常,我的网站在浏览器中是安全的,并且 api 可以正常工作。然而,我的日志被以下语句填满(这些只是调试消息,但它们正在填满我的日志):

133649  Failed to authenticate HTTPS connection.    Debug   System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
133643  Connection id ""0HLPCETMP8DKM"" started.    key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel
133642  Connection id ""0HLPCETMP8DKL"" received FIN.   key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets
133641  Connection id ""0HLPCETLEPLQ7"" stopped.    key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel
133640  Connection id ""0HLPCETLEPLQ7"" sending FIN.    key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets

例外是:

System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
 at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
 at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
 --- End of stack trace from previous location where exception was thrown ---
 at System.Net.Security.SslState.ThrowIfExceptional()
 at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
 at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
 at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
 at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_1(IAsyncResult iar)
 at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
 --- End of stack trace from previous location where exception was thrown ---
 at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)

有谁知道它为什么会这样做?我可以查看的任何其他日志或有关如何调试的建议?

谢谢。

【问题讨论】:

看起来客户端和您的服务之间的 SSL 握手不一致。它还表明客户端不喜欢服务器发送的内容。由于信息很少,我不得不认为客户端可能不信任服务器证书或者主机名不匹配。如果您的客户端是 Windows,您可以转到应用程序和服务日志以及在 Windows 下的某个地方,我相信,找到 CAPI2 日志,右键单击操作日志并选择启用日志并在向 API 发送请求时检查错误。跨度> 【参考方案1】:

这很可能是因为您使用标准模板运行 Service Fabric,该模板设置了 Azure 负载均衡器,并对您设置使用的端口进行运行状况探测。标准探测一般是 TCP,每 5 秒探测一次端点。如果这是一个可行的选择,您可以移除探针。我个人使用较不激进的探测间隔。

请注意,更改负载平衡器规则通常需要很长时间,从几分钟到近半小时不等。

【讨论】:

以上是关于为啥红隼一直抛出这个调试 ssl 异常?的主要内容,如果未能解决你的问题,请参考以下文章

为啥在 ios/cordova 中抛出这个异常?

为啥这个 Linq 方法会抛出空引用异常

为啥我们不能只抛出异常/可抛出而不是有多个异常[重复]

为啥geoip会抛出异常?

为啥不可能从 __toString() 抛出异常?

为啥在这种情况下允许抛出已检查的异常类型?