英文:
.NET 5 HttpClient: SSL connection could not be established, see inner exception
问题
Production环境中SSL连接无法建立的问题可能是因为服务器配置或网络环境问题。可能的解决方法包括:
-
证书问题: 确保服务器上的SSL证书是有效的,且与请求的域名匹配。有时候,SSL证书可能过期或者不正确配置,导致无法建立安全连接。
-
协议问题: 确保服务器和客户端都支持相同的SSL/TLS协议版本。你的代码中使用了
SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls,但某些服务器可能不支持所有这些协议。尝试只使用SecurityProtocolType.Tls12,看看是否有改善。 -
中间代理问题: 如果你的请求经过了中间代理服务器,可能会干扰SSL握手。确保中间代理服务器不会修改SSL请求或响应。
-
网络环境问题: 检查生产环境的网络设置,确保服务器能够正常访问公共URL。防火墙、代理设置等可能会影响SSL连接。
-
域名解析问题: 确保在生产环境中,域名能够正确解析到期望的IP地址。有时DNS解析问题会导致SSL连接失败。
-
其他设置: 检查服务器的安全策略,确保没有特殊的安全设置(例如HSTS)阻止了连接。
在处理这个问题时,你可能需要与你的网络管理员或者服务器管理员合作,以便他们可以检查服务器和网络配置,确保一切正常。
英文:
I am using HttpClient to get an image from a public url. I did a test in Postman and I can get it without any issues, as well as in my dev pc. When I publish it to production web server, I got the error: "The SSL connection could not be established, see inner exception.", right after GetByteArrayAsync().
Inner Exception:
System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'. ---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted. --- End of inner exception stack trace --- at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
This is the code that is working in my dev pc:
var client = new HttpClient();
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
var result = await client.GetByteArrayAsync("url");
Since this code is not working in production, I have added (and still not working):
client.DefaultRequestHeaders.Add("Accept-Encoding", "gzip");
client.DefaultRequestHeaders.Add("Accept-Encoding", "deflate");
client.DefaultRequestHeaders.Add("Accept-Encoding", "br");
And also using HttpRequestMessage and HttpClientHandler, I got the same issue in production:
var handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
using (var client = new HttpClient(handler))
using (var request = new HttpRequestMessage(HttpMethod.Get, "url"))
{
request.Headers.Host = "url";
using (var response = await client.SendAsync(request))
{
Console.WriteLine(response.StatusCode);
}
So, do you know what the issue in production would be? why this works in dev and Postman but not in production? do I need to set up a setting?
Also, when I change the target to another public url, I can get an image from production server without issues.
Any help will be appreciated. Thanks
答案1
得分: 1
感谢@Charlieface提供的SSLLab报告,我发现目标服务器仅支持TLS 1.3,而我的Web托管提供商正在使用Windows 2019,该协议不可用。所以,我将托管提供商更改为Windows 2022,我的Web应用程序现在正常运行。
谢谢。
英文:
Thanks to @Charlieface for the SSLLab report I found out that the target server was working with TLS 1.3 only, and my web hosting provider was working with Windows 2019 where that protocole is not available. So, I changed the hosting provider with Window 2022 and my web app is working fine.
Thanks.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论