请求被中止:无法创建 SSL/TLS 安全通道
我们有一个 .Net 2.0 Web 应用程序,它使用第三方程序集从服务器上运行的网页向第三方站点进行 Web 服务调用。该调用是通过 https 进行的。直到大约两周前,这段代码已经运行多年,没有出现任何问题。供应商确实在上个月内更新了他们的证书。然而,没有其他客户报告过问题,我们自己的一些机器也没有出现问题。在某些我们的服务器上,当进行调用时,我们得到 The request was aborted: Could not create SSL/TLS secure Channel。在其他服务器上没有问题。这些服务器都是 Windows 2003,运行相同的代码库。我们打开 .Net 跟踪并捕获一台好的服务器和两台坏的服务器上的跟踪。我们已经验证返回到所有服务器的证书是相同的。 .Net 跟踪显示其中一个 InitializeSecurityContext 调用返回了返回的代码 = 非法消息。我已验证 schannel.dll、secur32.dll 和 system.net.dll 在所有服务器上都是相同的版本。我还验证了该 CA 是受信任的(其 Verisign)。
此时,我正在寻找任何故障排除想法。
记录下面的摘录。第一个来自收到错误的服务器。请注意,在不良服务器的日志中,字节接收序列始终为 204、5、2、错误。在好的服务器上,字节序列始终是 204, 5, 1, continueneeded。
坏服务器
System.Net.Sockets Verbose: 0 : [15784] 退出 Socket#50912888::Send() -> 204#204
System.Net.Sockets 详细: 0 : [15784] Socket#50912888::Receive()
System.Net.Sockets 详细: 0 : [15784] 来自 Socket#50912888::Receive
System.Net.Sockets 详细的数据: 0 : [15784] 00000000 : 15 03 00 00 02 : .....
System.Net.Sockets Verbose: 0 : [15784] 退出 Socket#50912888::Receive() -> 5#5
System.Net.Sockets 详细: 0 : [15784] Socket#50912888::Receive()
System.Net.Sockets 详细: 0 : [15784] 来自 Socket#50912888::Receive
System.Net.Sockets 详细的数据: 0 : [15784] 00000005 : 02 28 : .(
System.Net.Sockets Verbose: 0 : [15784] 退出 Socket#50912888::Receive() -> 2#2
System.Net 信息: 0 : [15784] InitializeSecurityContext (凭据= System.Net.SafeFreeCredential_SECURITY,上下文= 10709bc8:189fc88,targetName = transform.documentmailbox.net,inFlags = ReplayDetect,SequenceDetect,Confidentiality,AllocateMemory,InitManualCredValidation)
System.Net信息:0:[15784] InitializeSecurityContext(缓冲区内)计数 = 2,输出缓冲区长度 = 0,返回代码 =
System.Net.Sockets 详细:0:[15784] Socket#50912888::Dispose()
System.Net 错误:0:[15784] 异常) 。 HttpWebRequest#44205226:: - 请求已中止:无法创建 SSL/TLS 安全通道。System.Net
错误:0:[15784] HttpWebRequest#44205226::EndGetRequestStream 中出现异常 - 请求已中止:无法创建 SSL/ TLS 安全通道。
良好的服务器:
System.Net.Sockets Verbose: 0 : [0244] 退出 Socket#56654665::Send() -> 204#204
System.Net.Sockets 详细: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets 详细: 0 : [0244] 来自 Socket#56654665::Receive
System.Net.Sockets 详细的数据: 0 : [0244] 00000000 : 14 03 00 00 01 : .....
System.Net.Sockets Verbose: 0 : [0244] 退出 Socket#56654665::Receive() -> 5#5
System.Net.Sockets 详细: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets 详细: 0 : [0244] 来自 Socket#56654665::Receive
System.Net.Sockets 详细的数据: 0:[0244]00000005:01:。
System.Net.Sockets 详细:0:[0244] 退出 Socket#56654665::Receive() -> 1#1
System.Net 信息: 0 : [0244] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = b2310:174420, targetName = transform.documentmailbox.net, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
系统.Net 信息:0:[0244]InitializeSecurityContext(输入缓冲区计数=2,输出缓冲区长度=0,返回代码=ContinueNeeded)。
System.Net.Sockets 详细: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets 详细: 0 : [0244] 来自 Socket#56654665::Receive
System.Net.Sockets 详细的数据: 0 : [ [0244] 00000000 : 16 03 00 00 38 : ....8
System.Net.Sockets 详细: 0 : [0244] 退出 Socket#56654665::Receive() -> 5#5
System.Net.Sockets 详细: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets 详细: 0 : [0244] 来自 Socket#56654665::Receive
System.Net.Sockets 详细的数据: 0 : [0244] 00000005 : C0 44 EB FF 6A 88 AD DA-2C 5A 74 99 AD 11 CE 16 : .D..j...,Zt.....
System.Net.Sockets 详细: 0 : [ 0244] 00000015 : 4B 10 29 D7 DD 4E A0 83-E9 DE EB BD 37 2F 81 FB : K.)..N......7/..
System.Net.Sockets 详细: 0 : [0244] 00000025 : D4 9C 99 6C FB A0 CA 6B-1A 4E 7A CA B9 39 1B 91 : ...l...k.Nz..9..
System.Net.Sockets 详细: 0 : [0244] 00000035 : 7B 26 B1 01 8C FD C1 08- : {&......
System.Net.Sockets Verbose: 0 : [0244] 退出 Socket#56654665::Receive() -> 56#56
System.Net 信息:0:[0244] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY、context = b2310:174420、targetName = transform.documentmailbox.net、inFlags = ReplayDetect、SequenceDetect、Confidentiality、AllocateMemory、InitManualCredValidation)
系统.Net 信息:0:[0244]InitializeSecurityContext(输入缓冲区计数=2,输出缓冲区长度=0,返回代码=OK)。
We have a .Net 2.0 web app which uses a third party assembly to make a webservice call from our web page running at the server to the third party site. The call is made over https. This code has been running without an issue for years until about 2 weeks ago. The vendor did update their certs within the last month. However no other client has reported an issue and some of our own machines work without an issue. On some of our servers when the call is made we get The request was aborted: Could not create SSL/TLS secure channel. On other servers there is no issue. The servers are all Windows 2003 running the same code base. We turned on .Net tracing and captured traces on a good server and two bad ones. We've verified the certificate being returned to all the servers is the same. The .Net trace shows one of the InitializeSecurityContext calls returning with a returned code=Illegal Message. I've verified schannel.dll, secur32.dll, and system.net.dll are the same versions on all servers. I've also verified that the CA is Trusted (its Verisign).
At this point I'm looking for any troubleshooting ideas.
Log excerpts below. The first is from a server that gets the error. Note that in the logs for the bad servers the byte receive sequence is always 204, 5, 2, error. On the good server the byte sequence is always 204, 5, 1, continueneeded.
Bad Server
System.Net.Sockets Verbose: 0 : [15784] Exiting Socket#50912888::Send() -> 204#204
System.Net.Sockets Verbose: 0 : [15784] Socket#50912888::Receive()
System.Net.Sockets Verbose: 0 : [15784] Data from Socket#50912888::Receive
System.Net.Sockets Verbose: 0 : [15784] 00000000 : 15 03 00 00 02 : .....
System.Net.Sockets Verbose: 0 : [15784] Exiting Socket#50912888::Receive() -> 5#5
System.Net.Sockets Verbose: 0 : [15784] Socket#50912888::Receive()
System.Net.Sockets Verbose: 0 : [15784] Data from Socket#50912888::Receive
System.Net.Sockets Verbose: 0 : [15784] 00000005 : 02 28 : .(
System.Net.Sockets Verbose: 0 : [15784] Exiting Socket#50912888::Receive() -> 2#2
System.Net Information: 0 : [15784] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 10709bc8:189fc88, targetName = transform.documentmailbox.net, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [15784] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [15784] Socket#50912888::Dispose()
System.Net Error: 0 : [15784] Exception in the HttpWebRequest#44205226:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Error: 0 : [15784] Exception in the HttpWebRequest#44205226::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel.
Good Server:
System.Net.Sockets Verbose: 0 : [0244] Exiting Socket#56654665::Send() -> 204#204
System.Net.Sockets Verbose: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets Verbose: 0 : [0244] Data from Socket#56654665::Receive
System.Net.Sockets Verbose: 0 : [0244] 00000000 : 14 03 00 00 01 : .....
System.Net.Sockets Verbose: 0 : [0244] Exiting Socket#56654665::Receive() -> 5#5
System.Net.Sockets Verbose: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets Verbose: 0 : [0244] Data from Socket#56654665::Receive
System.Net.Sockets Verbose: 0 : [0244] 00000005 : 01 : .
System.Net.Sockets Verbose: 0 : [0244] Exiting Socket#56654665::Receive() -> 1#1
System.Net Information: 0 : [0244] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = b2310:174420, targetName = transform.documentmailbox.net, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [0244] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets Verbose: 0 : [0244] Data from Socket#56654665::Receive
System.Net.Sockets Verbose: 0 : [0244] 00000000 : 16 03 00 00 38 : ....8
System.Net.Sockets Verbose: 0 : [0244] Exiting Socket#56654665::Receive() -> 5#5
System.Net.Sockets Verbose: 0 : [0244] Socket#56654665::Receive()
System.Net.Sockets Verbose: 0 : [0244] Data from Socket#56654665::Receive
System.Net.Sockets Verbose: 0 : [0244] 00000005 : C0 44 EB FF 6A 88 AD DA-2C 5A 74 99 AD 11 CE 16 : .D..j...,Zt.....
System.Net.Sockets Verbose: 0 : [0244] 00000015 : 4B 10 29 D7 DD 4E A0 83-E9 DE EB BD 37 2F 81 FB : K.)..N......7/..
System.Net.Sockets Verbose: 0 : [0244] 00000025 : D4 9C 99 6C FB A0 CA 6B-1A 4E 7A CA B9 39 1B 91 : ...l...k.Nz..9..
System.Net.Sockets Verbose: 0 : [0244] 00000035 : 7B 26 B1 01 8C FD C1 08- : {&......
System.Net.Sockets Verbose: 0 : [0244] Exiting Socket#56654665::Receive() -> 56#56
System.Net Information: 0 : [0244] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = b2310:174420, targetName = transform.documentmailbox.net, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [0244] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于您询问故障排除提示,而不是明确的答案,因此我会将其作为答案发布,但请考虑它的价值...
基于某些服务器可以 访问这个而其他人则不能,我敢打赌这个问题仍然是对证书的信任问题。
该证书可能是由 Verisign 颁发的,并且很可能在大多数计算机上受信任,但这并不意味着它在所有计算机上受信任。
大约 6 个月前,当我们更新主 Web 服务器上的证书时,我们遇到了类似的问题。我们接到了多个客户的电话,在每种情况下,解决方案都是让他们转到 Windows 更新并查找根证书更新,或者通过 google 查找最新更新并从 Microsoft 下载。显然,由于某种原因,根证书更新并不总是应用在正常的更新过程中。
Since you asked for troubleshooting tips, and not a definitive answer, I'll post this as an answer, but take this for what it's worth...
Based on the fact that some servers can access this and others can't, I would bet that the issue is still a matter of trust on the certificate.
The certificate may have been issued by Verisign, and may well be trusted on most machines, but that does NOT mean that it's trusted on all machines.
We had similar issues about 6 months ago when we updated the certs on our primary web server. We took in several calls from customers, and in each case, the resolution was to have them go to Windows Updates and look for a Root Certificates update OR google for the most recent update and download it from Microsoft. Apparently, for some reason, the Root Certificate Updates are not always applied in the normal Update process.