如何在Windows上使用.NET Core中的TLS使用OpenSSL?
我有一个简单的挑战,因为我正在研究一个多平台项目,在该项目中,我拥有具有TLS 1.2的服务器和一个客户证书来验证任何REST API调用所需的客户证书。这在Linux,WSL和Docker/Linux中都可以正常工作。但不在Windows上!
在Linux Systems上,.NET Core将使用OPENSL进行安全性。在Windows上,使用Schannel。 Schannel在我的证书和该特定服务器上存在一些问题。这很烦人,因为我无法控制证书,也无法控制服务器。而且,构建服务器的任何人显然从未使用Windows和Schannel正确测试。 (但是我们要求他们修复它!)所以我正在寻找替代方案...
替代方法是仅在Windows中使用OpenSSL而不是Schannel。因此,我研究了HTTPCLIENT代码以及与抽象类,任务,异步代码以及许多许多代表和Lambda功能的所有复杂性。尽管我是2004年以来基本上使用的C#专家,但我仍然找不到解决方案来告诉httpclient to 明确使用openssl而不是schannel。
与Windows,Bla,bla似乎未使用的密码。这很复杂,对于我想要的东西肯定没有简单的答案。在Internet上搜索解决方案更加烦人,因为许多结果是.NET 4.8或以上版本,而不是.NET CORE 6。一些4.7文档确实提到ServicePointManager将使用主机操作系统提供的协议,因此我'LL最终在Windows上放了Schannel。显然,对于最新的.NET版本而言,这仍然是正确的...
[编辑] Internet Explorer可能已经过时了,但是它显示了Schannel的问题,因为Chrome,Edge和其他浏览器使用不同的库,而不是Schannel。是的,这里使用了TLS1.2,并且所有密码都已在我的Windows系统上激活,但它仍然不接受。尝试了很多事情来让IE接受该网站,而无效。因此,我想解决Schannel的工作,否则我必须使用.NET作为该项目的开发环境进行废除。
I have a simple challenge as I'm working on a multi-platform project where I have a server with TLS 1.2 and a client certificate that is required to authenticate any REST API calls. This works fine on Linux, in WSL and in Docker/Linux. But not on Windows!
On Linux systems, .NET Core will use OpenSSL for the security stuff. On Windows, SChannel is used instead. And SChannel has some issues with my certificate and this specific server. Which is annoying as I have no control over the certificate, nor the server. And whomever built the server apparently never tested things properly with Windows and SChannel. (But we have requested that they fix it!) So I'm looking for an alternative...
The alternative is to just use OpenSSL instead of SChannel in Windows. So I went digging into the HttpClient code and all it's complexities with abstract classes, tasks, asynchronous code and many, many delegates and lambda function. And although I'm an expert with C# as I basically used it since 2004 or so, I still can't find a solution to tell HttpClient to explicitly use OpenSSL instead of SChannel.
Something with Ciphersuites that seem to be unused in Windows, bla, bla. It's complex and there definitely seems no simple answer for what I'm looking for. It's even more annoying to search on the Internet for solutions as many results are for .NET 4.8 or older versions, not .NET Core 6. Some 4.7 documentation does mention that the ServicePointManager will use the protocols provided by the host operating system, thus I'll end up with SChannel on Windows. Apparently, that's still true for the latest .NET versions...
[edit]
Internet Explorer might be obsolete, but it shows the problem with SChannel as Chrome, Edge and other browsers use different libraries, not SChannel. And yes, TLS1.2 is used here, and all ciphersuites have been activated on my Windows system, yet it still won't accept it. Tried a lot to get IE to accept the site and none worked. So I want to work around SChannel or else I have to scrap using .NET as development environment for this project.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
并不是说这是不可能的,但是Windows SSL功能完全建立在Schannel周围,因此您正在尝试更换它的噩梦。您可能想查看另一条涉及https/ssl代码中最佳实践的路线。...
作为或多或少的fubar,您无法控制它。最佳实践会出去窗口...
如果您的证书与您感兴趣的属性相匹配,接受并返回true,则可以使用证书验证回调。只是不要自动接受大多数示例中显示的任何东西,因为这是一个巨大的安全漏洞。这应该可以解决Schannel抱怨的任何事情,并允许您接受证书,直到它们修复它。
出于好奇,它抛出了什么错误?
Not saying it's impossible, but windows SSL functionalities are built entirely around SChannel thus the nightmare you are running into trying to replace it. You may want to look at a different route which is a hack and something that goes against best practices in HTTPS/SSL code....
Being your cert is more or less FUBAR and you don't have control of it. Best practices go out the window...
You could use the certificate validation callback, if your certificate matches the attributes you are interested in, accept it and return true. Just don't auto accept anything as shown in most examples as that's a huge security hole. This should get around whatever SChannel is complaining about and allow you to accept the cert until they fix it.
Just out of curiosity what error is it throwing?