问题
I have seen few similar questions regarding this topic on SO, but it seems that none of the answers really helps to resolve it.
I need to reach customer webservice with certificate authentication. It works fine using SoapUI and chrome after selecting correct certificate when prompted. But I am not able to reach the service with IE, WCF client, not my own, nor WcfTestClient. OS is Windows server 2012 R2, protocol TLS 1.2
I have been investigating events, tracelogs, also spend quite some time with analyzing wireshark captures, but I am stuck. This is what I have
Event Log:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 12.
Trace log:
I will omit non interesting parts and show only related ones.
System.Net Information: 0 : [12208] Connection#11144211 - Created connection
from 192.168.3.13:53514 to 145.119.167.109:443.
System.Net Information: 0 : [12208] TlsStream#3957675::.ctor(host=aaa.bbb.eu, #certs=1)
System.Net Information: 0 : [12208] Associating HttpWebRequest#37368736 with ConnectStream#35619075
.
.
.
System.Net Information: 0 : [12208]
SecureChannel#52136226::.ctor(hostname=aaa.bbb.eu, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [12208] Enumerating security packages:
System.Net Information: 0 : [12208] Negotiate
System.Net Information: 0 : [12208] NegoExtender
System.Net Information: 0 : [12208] Kerberos
System.Net Information: 0 : [12208] NTLM
System.Net Information: 0 : [12208] TSSSP
System.Net Information: 0 : [12208] pku2u
System.Net Information: 0 : [12208] WDigest
System.Net Information: 0 : [12208] Schannel
System.Net Information: 0 : [12208] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [12208] CREDSSP
System.Net Information: 0 : [12208] SecureChannel#52136226 - Attempting to restart the session using the user-provided certificate: [HERE GOES DATA ABOUT CERTIFICATE]
.
.
.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Locating the private key for the certificate: [HERE GOES DATA ABOUT CERTIFICATE]
.
.
.
System.Net Information: 0 : [12208] SecureChannel#52136226 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12208] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=161, returned code=ContinueNeeded).
Then some incoming messages, with
System.Net.Sockets Verbose: 0 : [12208] Exiting Socket#33189039::Receive() -> Int32#2516
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = cb00f8:7980678, targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [12208] Socket#33189039::Receive()
System.Net.Sockets Verbose: 0 : [12208] Data from Socket#33189039::Receive
in between. And finally, the issue.
System.Net.Sockets Verbose: 0 : [12208] Exiting Socket#33189039::Receive() -> Int32#2839
System.Net Information: 0 : [12208] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = cb00f8:7980678, targetName = aaa.bbb.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [12208] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [12208] Socket#33189039::Dispose()
System.Net Error: 0 : [12208] Exception in HttpWebRequest#37368736:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [12208] Exception in HttpWebRequest#37368736::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
So, obviously, I have sufficient right to successfully read and use provided client certificate (which is just fine for Chrome and SoapUI). When checking network flow by Wireshark, Client Hello and Server Hello is there, followed by Certificate and Server Key Exchange messages. Then a lot of probably not correctly decoded packets coming from server (marked by Wireshark as Encrypted Handshake message, from content it seems as some certificates) and finally ACK RST packet from my client.
Any ideas what might cause this will be much appreciated.
Edit: Added client code and configuration
Client code:
ServicePointManager.SetTcpKeepAlive(true, 10000, 1000);
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
try
{
client = new IncidentBrokerPortTypeClient("gms_endpoint");
client.EchoRequest(new EchoRequest());
}
catch (Exception ex)
{
MessageBox.Show(ex.Message + Environment.NewLine + ex.InnerException);
}
Configuration:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<system.serviceModel>
<bindings>
<basicHttpsBinding>
<binding name="HttpsBasicBinding">
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpsBinding>
</bindings>
<client>
<endpoint
name ="gms_endpoint"
address="https://aaa.bbb.eu/"
binding="basicHttpsBinding"
bindingConfiguration="HttpsBasicBinding"
contract="SomeNamespace.IncidentBrokerPortType"
behaviorConfiguration="GmsBehavior"
/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="GmsBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindByThumbprint"
findValue="5c1dd5c93d1854cb2d698451e1d2a78a3d94dcb0"
storeLocation="LocalMachine"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
回答1:
Enable strong cryptography in .NET Framework 4.5 or higher
We ran into a problem that was resulting in the same IllegalMessage at the end of the stack trace. For us it turned out there was a group policy update on our domain that disabled the older and weaker SSL and TLS protocols. The stronger cryptography was not enabled by default resulting in the handshake failing. The fix for us was adding two entries to the registry for the server reporting the error:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
回答2:
Maybe adding diagnostics to client config will help, something like the following :
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<!--diagnostics traces will be found in Web_messages.svclog file and Web_tracelog.svclog file-->
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
<source name="System.ServiceModel" switchValue="Warning,ActivityTracing"
propagateActivity="true">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelTraceListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="Web_messages.svclog" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
<add initializeData="Web_tracelog.svclog" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
<system.serviceModel>
<!--Enable diagnostics to record wcf communication-->
<diagnostics wmiProviderEnabled="true">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<basicHttpsBinding>
<binding name="HttpsBasicBinding">
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpsBinding>
</bindings>
<client>
<endpoint
name ="gms_endpoint"
address="https://aaa.bbb.eu/"
binding="basicHttpsBinding"
bindingConfiguration="HttpsBasicBinding"
contract="SomeNamespace.IncidentBrokerPortType"
behaviorConfiguration="GmsBehavior"
/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="GmsBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindByThumbprint"
findValue="5c1dd5c93d1854cb2d698451e1d2a78a3d94dcb0"
storeLocation="LocalMachine"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
来源:https://stackoverflow.com/questions/43585967/the-request-was-aborted-could-not-create-ssl-tls-secure-channel-illegalmessag