使 IIS 在初始握手期间需要 SSL 客户端证书

发布于 2024-08-26 23:29:11 字数 411 浏览 16 评论 0原文

我正在尝试将 IIS 网站配置为需要 SSL 客户端证书。该网站是在 IIS 6 和 7 中建立的,尽管我更感兴趣的是使其适用于 7。我在 IIS 中设置了需要客户端证书属性,并且在通过 Web 浏览器访问该网站时它工作正常,但 Java-基于的客户端无法访问它。

我认为问题在于 IIS 在初始 SSL 握手期间不会请求客户端证书。相反,它会协商正常的 SSL 连接,检查资源是否需要客户端证书,如果需要,则启动请求客户端证书的新 SSL 握手。 IIS 这样做是为了支持仅需要某些资源的客户端证书的站点。即使为整个网站指定了要求,IIS 仍会发起两次 SSL 握手。我想强制 IIS 在第一次 SSL 握手时请求客户端证书,这有望让客户端正常工作。 (客户端是由外部合作伙伴开发的,我几乎不知道它是如何设置的,也无法访问其源代码)

以前有人在 IIS 中处理过这个问题吗?

I am trying to configure an IIS website to require SSL client certificates. The website is set up in both IIS 6 and 7, though I am more interested in making it work for 7. I set the require client certificates property in IIS and it works fine when accessing the site through a web browser, but a Java-based client is having trouble accessing it.

I believe the problem is that IIS does not request a client certificate during the initial SSL handshake. Instead it negotiates a normal SSL connection, checks to see if the resource requires client certificates, and if it does it then initiates a new SSL handshake that requests a client certificate. IIS does this so support sites that only require the client certificates for certain resources. Even when the requirement is specified for the entire website, IIS still initiates two SSL handshakes. I want to force IIS to request the client certificate on the first SSL handshake, which will hopefully get things working for the client. (The client is developed by an external partner and I have virtually no knowledge of how it is set up and no access to its source code)

Has anyone dealt with this problem in IIS before?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

掩于岁月 2024-09-02 23:29:11

以下是我在 IIS 7.5 上执行此操作的方法:

  1. 在管理命令提示符中运行以下命令: netsh http show sslcert
  2. 将输出保存在文本文件中。看起来像这样:

    <前><代码>IP:端口:0.0.0.0:443
    证书哈希:[哈希值]
    应用程序 ID:{[GUID]}
    证书存储名称:MY
    验证客户端证书吊销:已启用
    仅使用缓存的客户端证书验证吊销:已禁用
    使用情况检查:已启用
    撤销新鲜时间:0
    URL 检索超时:0
    Ctl 标识符:(空)
    Ctl 商店名称:(空)
    DS Mapper 用法:禁用
    协商客户端证书:已禁用

  3. 使用该信息创建批处理文件:

    netsh http 显示 sslcert
    netsh http删除sslcert ipport=0.0.0.0:443
    netsh http add sslcert ipport=0.0.0.0:443 certhash=[上面您的证书哈希] appid={[上面您的 GUID]} certstorename=MY verifyclientcertrevotion=enable verifyReitationWithCachedClientCertOnly=disable 使用检查=启用 clientcertnegotiation=enable
    netsh http 显示 sslcert
    

    (是的,您必须删除并重新添加;您不能只是就地更改 clientcertnegotiation。这就是为什么保存哈希和 GUID 很重要,这样它就知道要重新添加什么。)

  4. 运行该批处理文件,检查是否有任何错误,完成。

请记住,此设置是针对每个证书应用的,而不是针对每个服务器。因此,如果您使用多个证书,或更改/更新您的证书,则必须再次执行此操作。

Here's how I did this, on IIS 7.5:

  1. Run the following in an admin command prompt: netsh http show sslcert
  2. Save the output in a text file. Will look something like this:

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : [a hash value]
    Application ID          : {[a GUID]}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled
    
  3. Create a batch file using that info:

    netsh http show sslcert
    netsh http delete sslcert ipport=0.0.0.0:443
    netsh http add sslcert ipport=0.0.0.0:443 certhash=[your cert hash from above] appid={[your GUID from above]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable
    netsh http show sslcert
    

    (Yes, you have to delete and re-add; you can't just alter clientcertnegotiation in-place. That's why it's important to save the hash and GUID, so it knows what to re-add.)

  4. Run that batch file, check for any errors, done.

Keep in mind that this setting is applied per-certificate, not per-server. So if you use multiple certs, or change/update your cert, you will have to do this again.

只是一片海 2024-09-02 23:29:11

我花了一段时间才找到这个元数据库设置。我们的客户使用新的 certicom 库时也遇到了同样的问题。自从发现 SSL 重新协商周围的 MITM 攻击以来,很多圈子的答案都是挂断重新协商请求。

从 \inetpub\adminscripts 运行以下 cmd 将强制 IIS 始终请求客户端证书。

对于 IIS 6:
cscript adsutil.vbs set \w3svc\siteID\SSLAlwaysNegoClientCert True

(因此,对于默认网站,cscript adsutil.vbs set \w3svc\1\SSLAlwaysNegoClientCert True)

请记住,某些客户端 Internet Explorer 会提示输入客户端当它收到该数据包时,无论是否需要客户端证书,都会生成证书。

对于 IIS 7:

将以下文本保存到名为“Enable_SSL_Renegotiate_Workaround.js”的文件

var vdirObj=GetObject("IIS://localhost/W3svc/1"); 
// replace 1 on this line with the number of the web site you wish to configure 

WScript.Echo("Value of SSLAlwaysNegoClientCert Before: " + vdirObj.SSLAlwaysNegoClientCert); 
vdirObj.Put("SSLAlwaysNegoClientCert", true); 
vdirObj.SetInfo(); 
WScript.Echo("Value of SSLAlwaysNegoClientCert After: " + vdirObj.SSLAlwaysNegoClientCert);

中 从提升的/管理员命令提示符运行以下命令:

cscript.exe enable_ssl_renegotiate_workaround.js

(摘自 977377 的知识库文章)

It took me a while to find this metabase setting. We were having this same problem with our client using the new certicom libraries. Since the discovery of the MITM attack arround SSL Renegotiation, the answer in alot of circles has been to hangup on renegotitation requests.

running the following cmd from \inetpub\adminscripts will force IIS to always request a client certificate.

For IIS 6:
cscript adsutil.vbs set \w3svc\siteID\SSLAlwaysNegoClientCert True

(So for the default website, cscript adsutil.vbs set \w3svc\1\SSLAlwaysNegoClientCert True)

Keep in mind that some clients Internet Explorer prompt for client certificates when it recieves that packet wether the client certificate is needed or not.

For IIS 7:

Save the following text to a file called "Enable_SSL_Renegotiate_Workaround.js"

var vdirObj=GetObject("IIS://localhost/W3svc/1"); 
// replace 1 on this line with the number of the web site you wish to configure 

WScript.Echo("Value of SSLAlwaysNegoClientCert Before: " + vdirObj.SSLAlwaysNegoClientCert); 
vdirObj.Put("SSLAlwaysNegoClientCert", true); 
vdirObj.SetInfo(); 
WScript.Echo("Value of SSLAlwaysNegoClientCert After: " + vdirObj.SSLAlwaysNegoClientCert);

Run the following command from an elevated / administrator command prompt:

cscript.exe enable_ssl_renegotiate_workaround.js

(Jacked from the KB article for 977377)

云淡风轻 2024-09-02 23:29:11
  • 使用“更新”比删除\读取更容易。
  • 要查看参数,请在下面运行

netsh http update sslcert ?

  • It's easier to use "update" instead of deleting\readding.
  • To see parameters, run below

netsh http update sslcert ?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文