为啥红隼一直抛出这个调试 ssl 异常?
Posted
技术标签:
【中文标题】为啥红隼一直抛出这个调试 ssl 异常?【英文标题】:Why does kestrel keep throwing this debug ssl exception?为什么红隼一直抛出这个调试 ssl 异常? 【发布时间】:2020-01-02 17:44:25 【问题描述】:我有一个 Service Fabric 设置,我有一个在端口 443 上注册并使用 https 的微服务。我的集群设置中有一个反向代理。反向代理由证书保护。
我在启动微服务时也使用相同的证书:
new ServiceInstanceListener(serviceContext =>
new KestrelCommunicationListener(serviceContext, "EndpointHttps", (url, listener) =>
ServiceEventSource.Current.ServiceMessage(serviceContext, $"Starting Kestrel on url");
return new WebHostBuilder()
.UseKestrel(x =>
int port = serviceContext.CodePackageActivationContext.GetEndpoint("EndpointHttps").Port;
x.Listen(IPAddress.IPv6Any, port, listenOptions =>
listenOptions.UseHttps(transportCertificate);
listenOptions.NoDelay = true;
);
)
.ConfigureServices(
services => services
.AddSingleton<StatelessServiceContext>(serviceContext))
.UseContentRoot(Directory.GetCurrentDirectory())
.UseEnvironment(environment)
.UseStartup<Startup>()
.UseServiceFabricIntegration(listener, ServiceFabricIntegrationOptions.None)
.UseUrls(url)
.UseSerilog(Logger.Serilog)
.Build();
))
;
似乎一切正常,我的网站在浏览器中是安全的,并且 api 可以正常工作。然而,我的日志被以下语句填满(这些只是调试消息,但它们正在填满我的日志):
133649 Failed to authenticate HTTPS connection. Debug System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
133643 Connection id ""0HLPCETMP8DKM"" started. key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel
133642 Connection id ""0HLPCETMP8DKL"" received FIN. key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets
133641 Connection id ""0HLPCETLEPLQ7"" stopped. key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel
133640 Connection id ""0HLPCETLEPLQ7"" sending FIN. key='SourceContext'>Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets
例外是:
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslState.ThrowIfExceptional()
at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
有谁知道它为什么会这样做?我可以查看的任何其他日志或有关如何调试的建议?
谢谢。
【问题讨论】:
看起来客户端和您的服务之间的 SSL 握手不一致。它还表明客户端不喜欢服务器发送的内容。由于信息很少,我不得不认为客户端可能不信任服务器证书或者主机名不匹配。如果您的客户端是 Windows,您可以转到应用程序和服务日志以及在 Windows 下的某个地方,我相信,找到 CAPI2 日志,右键单击操作日志并选择启用日志并在向 API 发送请求时检查错误。跨度> 【参考方案1】:这很可能是因为您使用标准模板运行 Service Fabric,该模板设置了 Azure 负载均衡器,并对您设置使用的端口进行运行状况探测。标准探测一般是 TCP,每 5 秒探测一次端点。如果这是一个可行的选择,您可以移除探针。我个人使用较不激进的探测间隔。
请注意,更改负载平衡器规则通常需要很长时间,从几分钟到近半小时不等。
【讨论】:
以上是关于为啥红隼一直抛出这个调试 ssl 异常?的主要内容,如果未能解决你的问题,请参考以下文章