我们使用 HttpWebRequest 进行 REST 交互,通过 HTTPS,启用了 keep-alive。这可行,但在服务器端(Apache)我们经常遇到这样的错误:
“重新协商握手失败:客户不接受!?”
(没有详细记录的更多信息)
在客户端,在 System.Net 跟踪中,我们有以下消息:
解密返回 SEC_I_RENEGOTIATE。
(下面更完整的日志)。
此外,TCP 连接没有被重复使用(keep-alive 无法正常工作,尽管当我在没有 SSL 的情况下进行测试时它运行良好)。
这大大减慢了与 REST api 的交互。
HttpWebRequest 配置为启用保持事件状态、客户端证书、服务器证书回调。我已经测试了 ServicePointManager.SecurityProtocol SSL3 和 TLS。
客户端在 win XP SP3 上的 .NET Framework 3.5 SP1 上运行。
任何诊断和纠正此问题的帮助将不胜感激!谢谢
完整日志:
2011-08-01 21:40:22.702 - System.Net Verbose: 0 : [2320] WebRequest::Create(https://mo.dev.xyz.eu:9969/aaa-web/service/10001/1/utilisateur)
2011-08-01 21:40:22.749 - System.Net Verbose: 0 : [2320] HttpWebRequest#53502362::HttpWebRequest(https://mo.dev.xyz.eu:9969/aaa-web/service/10001/1/utilisateur#2027466596)
2011-08-01 21:40:22.796 - System.Net Verbose: 0 : [2320] Exiting HttpWebRequest#53502362::HttpWebRequest()
2011-08-01 21:40:22.843 - System.Net Verbose: 0 : [2320] Exiting WebRequest::Create() -> HttpWebRequest#53502362
2011-08-01 21:40:22.890 - System.Net Verbose: 0 : [2320] HttpWebRequest#53502362::BeginGetResponse()
2011-08-01 21:40:22.936 - System.Net Information: 0 : [2320] Associating HttpWebRequest#53502362 with ServicePoint#62474978
2011-08-01 21:40:22.983 - System.Net Information: 0 : [2320] Associating Connection#13358335 with HttpWebRequest#53502362
2011-08-01 21:40:23.030 - System.Net Verbose: 0 : [2320] Exiting HttpWebRequest#53502362::BeginGetResponse() -> ContextAwareResult#35634409
2011-08-01 21:40:23.108 - System.Net Information: 0 : [1440] TlsStream#41394993::.ctor(host=mo.dev.xyz.eu, #certs=1)
2011-08-01 21:40:23.155 - System.Net Information: 0 : [1440] Associating HttpWebRequest#53502362 with ConnectStream#28913487
2011-08-01 21:40:23.202 - System.Net Information: 0 : [1440] HttpWebRequest#53502362 - Request: GET /aaa-web/service/10001/1/utilisateur HTTP/1.1
2011-08-01 21:40:23.249 - System.Net Information: 0 : [1440] SecureChannel#41727345::.ctor(hostname=mo.dev.xyz.eu, #clientCertificates=1)
2011-08-01 21:40:23.327 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Attempting to restart the session using the user-provided certificate: [Version]
V3
[Subject]
CN=G6-99999615-01, OU=EIB-TPV, O=xyz
Simple Name: G6-99999615-01
DNS Name: G6-99999615-01
[Issuer]
CN=AC-INT-TPV, OU=EIB, O=xyz
Simple Name: AC-INT-TPV
DNS Name: AC-INT-TPV
[Serial Number]
008757A7
[Not Before]
28/12/2010 23:00:32
[Not After]
28/12/2020 23:00:32
[Thumbprint]
3B412465B069579441132DEF6E390BB62637B7AB
[Signature Algorithm]
sha1RSA(1.2.840.113549.1.1.5)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 b9 28 16 ea 58 d5 74 5f 2f 71 f1 b0 5d be a8 fb 87 90 6a e9 90 ef 46 8a d0 ae 0f e9 77 17 d5 5b 23 44 82 25 97 a1 2e b0 88 65 5f 6e 2e 42 4d 4e c9 d8 b7 df 43 63 ca 37 ab 80 a6 65 18 b0 6b 62 19 a1 a8 31 23 8c 5d a7 3b 32 65 eb 64 32 4e ff fb 8e 2f 77 d3 97 b2 b3 a7 4c d8 65 fa 18 73 86 3c 79 4e 19 55 e1 b3 28 1c 0c 52 34 ce d9 58 2b f4 c1 ae 0f 38 b2 29 37 ae e6 36 1f b5 89 90 af d8 68 89 c1 87 e5 34 80 13 3a 79 d5 d6 d5 f8 7d 6e ef a6 d2 c7 e0 be c9 2a 88 c3 f2 34 e3 ....
2011-08-01 21:40:23.374 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Left with 1 client certificates to choose from.
2011-08-01 21:40:23.421 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Trying to find a matching certificate in the certificate store.
2011-08-01 21:40:23.499 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Locating the private key for the certificate: [Version]
V3
[Subject]
CN=G6-99999615-01, OU=EIB-TPV, O=xyz
Simple Name: G6-99999615-01
DNS Name: G6-99999615-01
[Issuer]
CN=AC-INT-TPV, OU=EIB, O=xyz
Simple Name: AC-INT-TPV
DNS Name: AC-INT-TPV
[Serial Number]
008757A7
[Not Before]
28/12/2010 23:00:32
[Not After]
28/12/2020 23:00:32
[Thumbprint]
3B412465B069579441132DEF6E390BB62637B7AB
[Signature Algorithm]
sha1RSA(1.2.840.113549.1.1.5)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 b9 28 16 ea 58 d5 74 5f 2f 71 f1 b0 5d be a8 fb 87 90 6a e9 90 ef 46 8a d0 ae 0f e9 77 17 d5 5b 23 44 82 25 97 a1 2e b0 88 65 5f 6e 2e 42 4d 4e c9 d8 b7 df 43 63 ca 37 ab 80 a6 65 18 b0 6b 62 19 a1 a8 31 23 8c 5d a7 3b 32 65 eb 64 32 4e ff fb 8e 2f 77 d3 97 b2 b3 a7 4c d8 65 fa 18 73 86 3c 79 4e 19 55 e1 b3 28 1c 0c 52 34 ce d9 58 2b f4 c1 ae 0f 38 b2 29 37 ae e6 36 1f b5 89 90 af d8 68 89 c1 87 e5 34 80 13 3a 79 d5 d6 d5 f8 7d 6e ef a6 d2 c7 e0 be c9 2a 88 c3 f2 34 e3 ....
2011-08-01 21:40:23.546 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Certificate is of type X509Certificate2 and contains the private key.
2011-08-01 21:40:23.593 - System.Net Information: 0 : [1440] Using the cached credential handle.
2011-08-01 21:40:23.640 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:23.702 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=109, returned code=ContinueNeeded).
2011-08-01 21:40:23.765 - System.Net Information: 0 : [1440] ConnectStream#28913487 - Sending headers
{
Accept-Encoding: gzip,gzip
Mo-Version: 2.2.0-SNAPSHOT
User-Agent: xyz
Content-Type: text/xml;charset=UTF-8
Host: mo.dev.xyz.eu:9969
}.
2011-08-01 21:40:23.811 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:23.952 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2011-08-01 21:40:24.030 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.093 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2011-08-01 21:40:24.140 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.186 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=310, returned code=ContinueNeeded).
2011-08-01 21:40:24.280 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.327 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2011-08-01 21:40:24.390 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.436 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
2011-08-01 21:40:24.515 - System.Net Information: 0 : [1440] Remote certificate: [Version]
V3
[Subject]
CN=*.dev.xyz.eu, OU=EIB-Servers, O=xyz
Simple Name: *.dev.xyz.eu
DNS Name: *.dev.xyz.eu
[Issuer]
CN=AC-INT-SERVEURS, OU=EIB, O=xyz
Simple Name: AC-INT-SERVEURS
DNS Name: AC-INT-SERVEURS
[Serial Number]
00FDF961
[Not Before]
13/10/2010 17:40:31
[Not After]
13/10/2020 17:40:31
[Thumbprint]
930C9B8BBEBC0F96D19B1714AA7E6682A8816750
[Signature Algorithm]
sha1RSA(1.2.840.113549.1.1.5)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 bf e6 03 fe d5 41 ce f1 42 9a a1 cf 2e 53 df 7a 26 d1 0b 8b b1 5d 3b 26 1c e6 fe 8a df bf 44 6b b4 f5 ea e8 74 2a 9a 50 0b b0 3c ac f3 21 59 bf e7 68 c6 6e 59 3e d6 ab 76 52 58 cd f2 9c af dc e6 42 d9 94 b6 7d 41 39 52 19 7b cf 3f 6d 26 bb 76 ea 5d a4 5f b2 ae a4 ef ef a2 3c 17 f2 41 57 9a b5 de 38 5c 13 6e 05 2d a6 3c 21 42 62 68 b3 82 b4 92 4e da 34 f7 83 9f 83 80 0a ab d6 cf b1 bd 6b f2 c0 10 11 04 21 3b 06 5e 21 71 93 ce 12 ba 0e ed 9e 82 d2....
2011-08-01 21:40:24.561 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Remote certificate was verified as valid by the user.
2011-08-01 21:40:24.655 - System.Net Error: 0 : [1440] Decrypt returned SEC_I_RENEGOTIATE.
最佳答案
您需要在客户端处理 SEC_I_RENEGOTIATE 。当 DecryptMessage 返回 SEC_I_RENEGOTIATE 时,您需要再次进行握手循环。
微软Documentation会帮你解决的。您还可以在 github 中找到示例代码。
关于c# - HttpWebRequest 中的 SSL 重新协商 (SEC_I_RENEGOTIATE) 问题并且没有保持事件状态,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6903851/