.NET 5 HttpClient: SSL连接无法建立,请参见内部异常。

huangapple go评论82阅读模式
英文:

.NET 5 HttpClient: SSL connection could not be established, see inner exception

问题

Production环境中SSL连接无法建立的问题可能是因为服务器配置或网络环境问题。可能的解决方法包括:

  1. 证书问题: 确保服务器上的SSL证书是有效的,且与请求的域名匹配。有时候,SSL证书可能过期或者不正确配置,导致无法建立安全连接。

  2. 协议问题: 确保服务器和客户端都支持相同的SSL/TLS协议版本。你的代码中使用了SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls,但某些服务器可能不支持所有这些协议。尝试只使用SecurityProtocolType.Tls12,看看是否有改善。

  3. 中间代理问题: 如果你的请求经过了中间代理服务器,可能会干扰SSL握手。确保中间代理服务器不会修改SSL请求或响应。

  4. 网络环境问题: 检查生产环境的网络设置,确保服务器能够正常访问公共URL。防火墙、代理设置等可能会影响SSL连接。

  5. 域名解析问题: 确保在生产环境中,域名能够正确解析到期望的IP地址。有时DNS解析问题会导致SSL连接失败。

  6. 其他设置: 检查服务器的安全策略,确保没有特殊的安全设置(例如HSTS)阻止了连接。

在处理这个问题时,你可能需要与你的网络管理员或者服务器管理员合作,以便他们可以检查服务器和网络配置,确保一切正常。

英文:

I am using HttpClient to get an image from a public url. I did a test in Postman and I can get it without any issues, as well as in my dev pc. When I publish it to production web server, I got the error: "The SSL connection could not be established, see inner exception.", right after GetByteArrayAsync().
Inner Exception:

System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'. ---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted. --- End of inner exception stack trace --- at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

This is the code that is working in my dev pc:

var client = new HttpClient();
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
var result = await client.GetByteArrayAsync("url");

Since this code is not working in production, I have added (and still not working):

client.DefaultRequestHeaders.Add("Accept-Encoding", "gzip");
 client.DefaultRequestHeaders.Add("Accept-Encoding", "deflate");
 client.DefaultRequestHeaders.Add("Accept-Encoding", "br");

And also using HttpRequestMessage and HttpClientHandler, I got the same issue in production:

var handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
using (var client = new HttpClient(handler))
using (var request = new HttpRequestMessage(HttpMethod.Get, "url"))
{
request.Headers.Host = "url";
using (var response = await client.SendAsync(request))
 {
    Console.WriteLine(response.StatusCode);
 }

So, do you know what the issue in production would be? why this works in dev and Postman but not in production? do I need to set up a setting?
Also, when I change the target to another public url, I can get an image from production server without issues.
Any help will be appreciated. Thanks

答案1

得分: 1

感谢@Charlieface提供的SSLLab报告,我发现目标服务器仅支持TLS 1.3,而我的Web托管提供商正在使用Windows 2019,该协议不可用。所以,我将托管提供商更改为Windows 2022,我的Web应用程序现在正常运行。
谢谢。

英文:

Thanks to @Charlieface for the SSLLab report I found out that the target server was working with TLS 1.3 only, and my web hosting provider was working with Windows 2019 where that protocole is not available. So, I changed the hosting provider with Window 2022 and my web app is working fine.
Thanks.

huangapple
  • 本文由 发表于 2023年5月15日 14:25:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/76251371.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定