.net 无法为 SOAP 调用的 SSL/TLS 建立安全通道
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3983230/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Could not establish secure channel for SSL/TLS for SOAP call
提问by Zarigani
Our core server is calling out to a soap web service over https on a number of different servers to confirm that a transaction has completed.
我们的核心服务器通过 https 调用多个不同服务器上的soap web 服务,以确认交易已完成。
The code is dotnet 3.5 (vb) and works for the various callback services we have set up until we just moved a new one into production and it is refusing to communicate, giving the following error:
代码是 dotnet 3.5 (vb) 并且适用于我们设置的各种回调服务,直到我们将一个新服务投入生产并且拒绝通信,并给出以下错误:
Unhandled Exception: System.ServiceModel.Security.SecurityNegotiationException:
Could not establish secure channel for SSL/TLS with authority 'www.xyzzy.com'.
---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
The relevant piece of code would seem to be:
相关的代码片段似乎是:
Dim epAddr As New System.ServiceModel.EndpointAddress(sys.CallbackAddress)
Dim bind As New System.ServiceModel.BasicHttpBinding(ServiceModel.BasicHttpSecurityMode.Transport)
_svc = New CallbackSvc.XyzzyCallbackSoapClient(bind, epAddr)
From my personal laptop (WinXP), I can run the code and it connects to the new server without issues.
在我的个人笔记本电脑 (WinXP) 上,我可以运行代码并且它可以毫无问题地连接到新服务器。
From the main server (which calls all the callback services) (Windows Server Enterprise Service Pack 1), the code always results in the aforementioned SSL error.
从主服务器(调用所有回调服务)(Windows Server Enterprise Service Pack 1),代码总是导致上述 SSL 错误。
After googling the issue I tried adding the following line (certainly not suitable for production but I wanted to test):
在谷歌搜索问题后,我尝试添加以下行(当然不适合生产,但我想测试):
System.Net.ServicePointManager.ServerCertificateValidationCallback = Function(se As Object, cert As System.Security.Cryptography.X509Certificates.X509Certificate, chain As System.Security.Cryptography.X509Certificates.X509Chain, sslerror As System.Net.Security.SslPolicyErrors) True
The result was the same. The SSL error still occurred.
结果是一样的。SSL 错误仍然发生。
Other places suggest the root cert has not be installed correctly on the calling machine but both the new server and old callback servers use certs issued by Go Daddy so I don't think this is the case here.
其他地方表明在调用机器上没有正确安装根证书,但新服务器和旧回调服务器都使用 Go Daddy 颁发的证书,所以我认为这里不是这种情况。
采纳答案by Zarigani
This turned out to be an interaction between the production "core" server (the one calling the service) and the destination server (hosting the service) not sharing an acceptable https algorithm. wfetchwas extremely helpful in diagnosing the issue.
结果证明这是生产“核心”服务器(调用服务的服务器)和目标服务器(托管服务)之间的交互,不共享可接受的 https 算法。 wfetch对诊断问题非常有帮助。
It turned out the destination server was not set up to accept TLS 1.0, only SSL 3.0 was accepted.
结果发现目标服务器未设置为接受 TLS 1.0,仅接受 SSL 3.0。
Apparently, something changed in Windows 2008 Server which means that outbound https connections would only be acceptable using TLS 1.0 (or better, presumably).
显然,Windows 2008 Server 中发生了一些变化,这意味着出站 https 连接只能使用 TLS 1.0(或更好,大概)。
In our case, the problem was resolved when the configuration on the destination server was changed to accept TLS. It feels like there should be a way to alter my program to force it to use SSL but I haven't found it.
在我们的例子中,当目标服务器上的配置更改为接受 TLS 时,问题得到解决。感觉应该有一种方法可以改变我的程序以强制它使用 SSL,但我还没有找到它。
回答by frosty
On the client side, try:
在客户端,尝试:
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
回答by Stefan
I got the same error "Could not establish secure channel for SSL/TLS with authority 'www.xyzzy.com'." when moving an existing application including a required client certificate from one server to another. What caused the problem on the new server was that the IIS-user, in this case "IIS_WPG", didn't have have read & execute permission for the certificate just moved to the new server. Changing the certificate access permissions can be done with wsetools. /Stefan
我遇到了同样的错误“无法为具有“www.xyzzy.com”权限的 SSL/TLS 建立安全通道。将包含所需客户端证书的现有应用程序从一台服务器移动到另一台服务器时。导致新服务器出现问题的原因是 IIS 用户(在本例中为“IIS_WPG”)没有读取和执行刚刚移动到新服务器的证书的权限。可以使用 wsetools 更改证书访问权限。/斯蒂芬
