无法将 HTTPS 与 ServerXMLHTTP 对象一起使用
我支持通过 HTTPS 连接到支付网关的经典 ASP 应用程序。直到最近还没有出现任何问题。几天前,最新的更新安装在服务器(Windows Server 2003)上并导致网站崩溃。下面是一个代码片段。
Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
下面是错误对象的转储:-
编号:-2147012852 说明:需要证书才能完成客户端身份验证 消息:需要证书才能完成客户端身份验证
起初我以为这是因为支付网关的 SSL 证书未经过身份验证或者需要客户端证书。我在服务器上的浏览器中测试了该 URL,它显示正确,没有错误,并确认支付网关服务器不需要客户端证书。
我不知所措。我所做的所有研究都毫无结果。我什至尝试了在 Stackoverflow 上找到的以下内容:-
最后一个说明需要客户端证书XMLHTTP 尽管服务器不需要它并指出了一篇有关如何安装 XMLHTTP 的知识库文章,但该文章已经过时并且不起作用。
I am supporting a Classic ASP application that connects to a payment gateway via HTTPS. Up until recently there have been no issues. A few days ago the latest updates were installed on the server (Windows Server 2003) and caused the site to break. A code snippet is below.
Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
Below is a dump of the error object :-
Number: -2147012852
Description: A certificate is required to complete client authentication
Message: A certificate is required to complete client authentication
At first I thought it was because the Payment Gateway's SSL certificate was not being authenticated or they needed a client certificate. I tested the URL in a browser on the server and it displayed correctly without errors and confirmed that the Payment Gateway server did not require a client certificate.
I am at a loss. All the research I have done has lead me nowhere. I even tried the following found on Stackoverflow :-
Getting XMLHTTP to work with HTTPS
The last one stated that a client certificate is required by XMLHTTP even though the server does not need it and pointed to a KB article on how to install one, but that is outdated and does not work.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
尝试添加
oHttp.setOption 2, 13056Try adding
oHttp.setOption 2, 13056刚刚找到了已通过测试的解决方案:
这是客户端问题。正如OP指出的那样,MSXML2.ServerXMLHTTP确实要求您在调用使用SSL保护的端点时使用客户端证书(即使端点不需要它)。
在Web服务器上,您需要:
详细信息:
1.创建客户端证书
使用以下 PowerShell 命令创建新的自签名证书:
请注意,通过此命令创建的证书的有效期仅为 1 年。
2.为证书分配权限
使用 MMC,查看计算机帐户的证书存储:
如何:使用 MMC 管理单元查看证书
上面创建的证书可以在证书(本地计算机)\个人\证书( “发布者”和“发布者”列显示“ServerXMLHTTP”)。
右键单击ServerXMLHTTP证书,选择“所有任务”->将显示“管理私钥”和权限对话框。
添加运行 ASP 网站应用程序池的用户。默认情况下,它将作为“ApplicationPoolIdentity”运行,但您的设置可能使用特定的用户帐户。如果应用程序池使用ApplicationPoolIdentity,则要添加的用户名是“IIS AppPool\APP POOL NAME”,例如IIS AppPool\DefaultAppPool
用户将被添加为“完全控制”,可以取消选择。似乎只需要“读取”权限。单击“确定”确认权限。
3.在 ServerXMLHTTP 对象上设置证书
在 ASP 代码中,将 ServerXMLHTTP 对象设置为使用上面创建的证书。例如,致电 PayPal 获取访问令牌:
希望这仍然有帮助。
Just found the solution to this which has passed testing on:
It's a client problem. MSXML2.ServerXMLHTTP does indeed require you to use a client certificate when calling an endpoint secured with SSL (even if the endpoint doesn't require it), as the OP noted.
On the webserver, you need to:
In detail:
1. Create a client certificate
Use the following PowerShell command to create a new self-signed certificate:
Note that the certificate created by this command will only be valid for 1 year.
2. Assign permissions to the certificate
Using MMC, view the certificate store for the computer account:
How to: View Certificates with the MMC Snap-in
The certificate created above can be found in Certificates (Local Computer)\Personal\Certificates (the "Issued By" and "Issued To" columns display "ServerXMLHTTP").
Right click the ServerXMLHTTP certificate, select "All Tasks" -> "Manage Private Keys" and the permissions dialog will display.
Add the user that the ASP website app pool is running as. By default it will be running as "ApplicationPoolIdentity", but your setup may be using a specific user account. If the app pool is using ApplicationPoolIdentity, the username to add is "IIS AppPool\APP POOL NAME", e.g. IIS AppPool\DefaultAppPool
The user will be added with "Full Control" which can be deselected. Only "Read" permission seems to be required. Click "OK" to confirm the permissions.
3. Set the certificate on the ServerXMLHTTP object
In your ASP code, set the ServerXMLHTTP object to use the certificate created above. For example calling PayPal for an access token:
Hopefully this is still of assistance.
我知道这是一个老问题。此问题可能是由于不受支持的密码套件造成的。
尝试添加
- TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
- TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
这意味着您必须遵循此知识库: http://support.microsoft.com/kb /948963
如果您仍在使用 Windows 2003,此更新也很有趣。它将允许使用 SHA2 连接到站点 - http:// /support.microsoft.com/kb/968730
请注意,Windows Server 2003 支持将于 2015 年 7 月 14 日结束
I know it is an old question. This issue could be because of unsupported cipher suites.
Try adding
- TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
- TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
That means you have to follow this kb: http://support.microsoft.com/kb/948963
This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730
Please note that Windows Server 2003 support is ending July 14, 2015
这可能确实是 ServerFault.com 的问题,毕竟如果代码工作正常那么它不是一个编程问题。
不过我会尝试一些事情。首先尝试使用 ProgID“MSXML2.ServerXMLHTTP.3.0”,在某些情况下,MSXML3 的行为会有所不同,具体取决于使用哪个 ProgID 来实例化组件。另外,从其他来源(例如防病毒供应商)进行更新(Sophos 有此问题)可能会破坏 MSXML 安装。
安装 MSXML6 后,另一个要尝试的 ProgID 是“MSXML2.ServerXMLHTTP.6.0”。如果问题出在 MSXML3 核心更新上,那么 MSXML6 核心可能不会出现同样的问题。
This is probably a ServerFault.com question really, after all if the code is working fine then its not a programmatic problem.
However I would try a couple of things. First try using a the ProgID "MSXML2.ServerXMLHTTP.3.0", in some circumstances MSXML3 will behave differently depending on which ProgID was used to instantiate the component. Also update from other sources like your anti-virus supplier (Sophos had this problem) can break MSXML installs.
Another ProgID to try is "MSXML2.ServerXMLHTTP.6.0" after having installed MSXML6. If the problem is with an update to the MSXML3 core then perhaps the MSXML6 core doesn't have the same problem.
您可以尝试使用 oHttp.setOption(3) = "证书存储名称/证书的友好名称"
如下。我希望这会起作用。
Can you try with oHttp.setOption(3) = "certificate store name/friendlyname of certificate"
as below. I hope this will works.