英文:
.NET Framework Cipher Suite Compatibility
问题
Recently, Cybersource updated their cypher suites and TLS to the 1.2 TLS and the following cipher suites:
最近,Cybersource 更新了它们的加密套件和TLS到1.2 TLS以及以下加密套件:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xc030)ECDH secp256r1(相当于3072位RSA)FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xc02f)ECDH secp256r1(相当于3072位RSA)FS 128
TLS_RSA_WITH_AES_256_GCM_SHA384(0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256(0x9c)128
Several applications running on Windows 2012 R2 will no longer connect to the Simple Order API after this. Some, which require explicit setting of TLS 1.2 because of older .NET Framework, and others which are not the latest but still can automatically use TLS 1.2.
在此之后,运行在Windows 2012 R2上的一些应用程序将无法连接到Simple Order API。一些应用程序需要明确设置TLS 1.2,因为它们使用较旧的.NET Framework,而其他应用程序虽然不是最新版本,但仍然可以自动使用TLS 1.2。
Typically the applications are .NET Framework 4.6.2 ASP.NET. Some are older - possibly .NET Framework 4.5.2. The older ones are the ones where we have had to set the TLS version in the past I believe. Applications with the same general code base (4.6.2) are running just fine as expected without any code updates on a Windows Server 2016 web server. This is why I think it is a server issue more than the code issue and why I specified the cipher suites specifically.
通常,这些应用程序是.NET Framework 4.6.2 ASP.NET。有些应用程序可能较旧,可能是.NET Framework 4.5.2。我相信较旧的应用程序是那些过去必须设置TLS版本的应用程序。具有相同通用代码基础(4.6.2)的应用程序在Windows Server 2016 Web服务器上没有任何代码更新的情况下运行正常。这就是我认为这更像是服务器问题而不是代码问题的原因,也是我特别指定了加密套件的原因。
Is there any possibility that .NET Framework version is responsible for the security error "Could not establish secure channel for SSL/TLS with authority 'ics2wstesta.ic3.com'?"
是否有可能是.NET Framework版本导致了安全错误"Could not establish secure channel for SSL/TLS with authority 'ics2wstesta.ic3.com'?"
Or is this a settings issue on the web server? The Knowledge article from Cybersource indicates that this is a setting issue. And some articles I have found on Microsoft and elsewhere suggest some group policy settings to prioritize the cipher suites above. But I want to make sure before I hand it over.
还是Web服务器上的设置问题?Cybersource的知识文章表明这是一个设置问题。而我在Microsoft和其他地方找到的一些文章建议了一些组策略设置,以优先考虑上述加密套件。但在交接之前,我想要确认一下。
英文:
Recently Cybersource updated their cypher suites and TLS to the 1.2 TLS and the following cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
Several applications running on Windows 2012 R2 will no longer connect to the Simple Order API after this. Some, which require explicit setting of TLS 1.2 because of older .NET Framework, and others which are not the latest but still can automatically use TLS 1.2.
Typically the applications are .NET Framework 4.6.2 ASP.NET. Some are older - possibly .NET Framework 4.5.2. The older ones are the ones where we have had to set the TLS version in the past I believe. Applications with the same general code base (4.6.2) are running just fine as expected without any code updates on a Windows Server 2016 web server. This is why I think it is a server issue more than the code issue and why I specified the cipher suites specifically.
Is there any possibility that .NET Framework version is responsible for the security error "Could not establish secure channel for SSL/TLS with authority 'ics2wstesta.ic3.com'?"
Or is this a settings issue on the web server? The Knowledge article from cybersource indicates that this is a setting issue. And some articles I have found on Microsoft and elsewhere suggest some group policy settings to prioritize the cipher suites above. But I want to make sure before I hand it over.
答案1
得分: 0
这似乎是一个在Windows Server 2012R2中未正确配置的组策略问题。我不熟悉具体的解决方法,因为我没有进行操作,但这是所需的方向。更懂服务器方面的IT人员应该知道答案。
英文:
Ultimately this seems like it was a Group Policy which was not properly configured in Windows Server 2012R2. I am not familiar with how this was resolved exactly, as I did not do it, but that is the direction which was required. A more server-oriented IT person would know the answer I'm sure.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论