在Linux上，ASP.NET Core Kestrel从不提示客户端证书。

Question

在Linux上，ASP.NET Core Kestrel从不提示客户端证书。

c#asp.net.netasp.net-corekestrel-http-server

3

我有一个ASP.NET Core 1.1应用程序，已经设置为使用Https并需要客户端证书：

我在Linux上运行该应用程序。

如果我将ClientCertificateMode更改为“AllowCertificates”，则一切正常，但浏览器从不提示客户端证书。

当设置为“RequireCertificate”时，浏览器仍然不会提示证书，服务器端会收到下面的两个异常（每个异常都重复四次），并且没有响应返回给浏览器：

Microsoft.AspNetCore.Server.Kestrel:Error: ConnectionFilter.OnConnection

System.AggregateException：一个或多个错误发生了。（身份验证失败，因为远程方已关闭传输流。）---> System.IO.IOException：身份验证失败，因为远程方已关闭传输流。在 System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) 在 System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- 上一个位置引发异常的堆栈跟踪的结尾 --- 在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在 System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) 在 System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) 在 System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) 在 System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- 上一个位置引发异常的堆栈跟踪的结尾 --- 在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 在 Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.d__3.MoveNext() --- 内部异常堆栈跟踪结束 --- --->（内部异常＃0）System.IO.IOException：身份验证失败，因为远程方已关闭传输流。在 System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) 在 System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- 上一个位置引发异常的堆栈跟踪的结尾 --- 在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在 System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) 在 System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) 在 System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) 在 System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- 上一个位置引发异常的堆栈跟踪的结尾 --- 在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 在 Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.d__3.MoveNext()<---

Microsoft.AspNetCore.Server.Kestrel：错误：ConnectionFilter.OnConnection

System.AggregateException: 发生了一个或多个错误。(根据验证过程，远程证书无效。) ---> System.Security.Authentication.AuthenticationException: 根据验证过程，远程证书无效。 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- 前一个位置引发异常的堆栈跟踪的结尾 --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- 前一个位置引发异常的堆栈跟踪的结尾 --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.d__3.MoveNext() --- 内部异常堆栈跟踪的结尾 --- ---> (内部异常 #0) System.Security.Authentication.AuthenticationException: 根据验证过程，远程证书无效。 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security

我花费了大约四个小时尝试不同的方法并在谷歌上搜索，但似乎无法找出问题的核心原因，所以想看看这里是否有人有主意。

- jceddy

2个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Michael Weinand · Answer 1

不确定您是否已经找到了解决方案，但我最近遇到了类似的问题。我发现如果您没有任何由服务器信任的CA签名的客户端证书，那么您就不会收到提示。我的解决方案是在 Linux 中将根CA添加到信任存储中，之后客户端证书将被适当地发送/提示。

- jceddy · Answer 2

我最终使用IIS作为反向代理来获取证书信息（并进行验证），然后将其通过标头传递给Kestrel。