在2019年WIN上执行.NET核心自我包含的应用程序,该应用程序创建MTLS连接返回无法联系本地安全管理局
我正在Windows 2019上运行一个自我包含的dotnet应用程序,以使用带有客户端证书的MTLS在远程计算机上执行简单的HTTPCLIENT。
我通过传递P12密钥库FilePath,在应用程序中加载客户端证书,该文件具有证书键盘和链条。
使用Windows 2019服务器上的Invoke-RestMethod在PowerShell上执行此操作,这意味着证书正确加载,并且通过访问证书存储来验证服务器证书。
另外,在本地运行该应用程序!因此,这意味着客户端和服务器证书和链条都是有效的,我的DotNet框架可以访问本地Windows商店。
这是引起问题的简单呼叫:
var certificate = new X509Certificate2(filePath, password);
Console.WriteLine($"Certificate found in keystore: {certificate.FriendlyName}. {certificate.Thumbprint}. {certificate.Subject}.");
var handler = new HttpClientHandler();
var httpClient = new HttpClient(handler)
handler.ClientCertificates.Add(certificate);
var result = httpClient.GetAsync("https://urltoserverwithvalidmTLS").GetAwaiter().GetResult();
我得到的例外是:
Exception: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x80090304): The Local Security Authority cannot be contacted
--- End of inner exception stack trace ---
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
应用程序发布:
-Configuration Release -R win-x64-被固定的true
和csproj Targets NetCoreApp3.1
此时我没有线索为什么这不起作用。任何帮助将不胜感激。
I'm running a self contained dotnet app on a windows 2019 to execute a simple httpclient get on a remote machine using mTLS with a client certificate.
I am loading the client certificate in the application by passing a p12 keystore filepath, which has the certificate keypair and chain.
Executing this get on powershell with invoke-restmethod on the windows 2019 server works, which means the certificate loads properly and the server certificate is validated by accessing the certificate store.
Also, running the application locally works! so that means that both client and server certificates and chains are valid and my dotnet framework can access the local windows store.
Here is the simple call that is causing the issue:
var certificate = new X509Certificate2(filePath, password);
Console.WriteLine(quot;Certificate found in keystore: {certificate.FriendlyName}. {certificate.Thumbprint}. {certificate.Subject}.");
var handler = new HttpClientHandler();
var httpClient = new HttpClient(handler)
handler.ClientCertificates.Add(certificate);
var result = httpClient.GetAsync("https://urltoserverwithvalidmTLS").GetAwaiter().GetResult();
The exception i get is:
Exception: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x80090304): The Local Security Authority cannot be contacted
--- End of inner exception stack trace ---
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
App is published with:
--configuration Release -r win-x64 --self-contained true
and csproj targets netcoreapp3.1 framework
At this point i have no clue why this is not working. Any help would be appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这与与SSL协议有关的两个问题的组合有关。 dotnet httpclient默认为Windows 2019上的无效TLS协议。
将SSLProtocols设置为TLS12解决了这一点。
另一个问题是Windows 2019在创建TLS连接时不适用于短暂的密钥。
将连接标志设置为X509Keystorageflags.persistKeySet解决了这一点。
这是一个示例HTTP客户端,可在Windows 2019上使用.NET6:
This was related to a combination of two issues related to ssl protocols. Dotnet httpclient defaults to an invalid TLS protocol on windows 2019.
Setting the SslProtocols to Tls12 resolved this.
The other issue is that windows 2019 does not work with ephemeral key when creating tls connections.
Setting the connection flag to X509KeyStorageFlags.PersistKeySet resolved this.
Here is a sample http client that works on windows 2019 with .net6: