logo标签列表

随机请求被中止:无法创建SSL/TLS安全通道。返回代码=MessageAltered。

c#.nethttpwebrequestwebrequesttls1.2
5
在大约一千个HTTPS请求中,会抛出以下异常:
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
    at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
    at System.Net.WebClient.DownloadString(Uri address)

来自System.Net的日志如下:

2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating HttpWebRequest#37618637 with ServicePoint#28841767
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating Connection#16407032 with HttpWebRequest#37618637
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net.Sockets | [2688] Socket#42531032 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Connection#16407032 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] TlsStream#54603865::.ctor(host=www.remoteservice.com, #certs=0)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating HttpWebRequest#37618637 with ConnectStream#27023101
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] HttpWebRequest#37618637 - Request: GET /api/v3/method HTTP/1.1
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] ConnectStream#27023101 - Sending headers
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] SecureChannel#66031633::.ctor(hostname=www.remoteservice.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] SecureChannel#66031633 - Left with 0 client certificates to choose from.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Using the cached credential handle.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=379, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.4937 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=574, returned code=ContinueNeeded).
2016-09-20 15:10:17.5562 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.5562 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=MessageAltered).
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637:: - The request was aborted: Could not create SSL/TLS secure channel..
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637:: - The request was aborted: The request was canceled..

InitializeSecurityContext在此行结束:

InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=MessageAltered)

为了比较,这里有一个成功的HTTPS调用示例:

2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ServicePoint#28841767
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating Connection#23643787 with HttpWebRequest#23767080
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net.Sockets | [1900] Socket#66957105 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Connection#23643787 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] TlsStream#51402822::.ctor(host=www.remoteservice.com, #certs=0)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ConnectStream#55741749
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] HttpWebRequest#23767080 - Request: GET /api/v3/method/123 HTTP/1.1
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] ConnectStream#55741749 - Sending headers
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] SecureChannel#20739431::.ctor(hostname=www.remoteservice.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] SecureChannel#20739431 - Left with 0 client certificates to choose from.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Using the cached credential handle.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=379, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.3190 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=574, returned code=ContinueNeeded).
2016-09-20 15:11:22.3815 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] Remote certificate: [Version] V3 (more info on certificate here)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] SecureChannel#20739431 - Remote certificate was verified as valid by the user.
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] ProcessAuthentication(Protocol=Tls12, Cipher=Aes256 256 bit strength, Hash=32781 0 bit strength, Key Exchange=DiffieHellman 4096 bit strength).
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Connection#23643787 - Received status line: Version=1.1, StatusCode=200, StatusDescription=OK.
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Connection#23643787 - Received headers
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] ConnectStream#43287324::ConnectStream(Buffered -1 bytes.)
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ConnectStream#43287324
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with HttpWebResponse#32954516
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] ContentLength=-1

ServicePointManager 的配置如下:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
ServicePointManager.Expect100Continue = false;
ServicePointManager.DefaultConnectionLimit = 24;

.NET框架版本为4.5。

你有任何想法为什么会发生这种情况吗?

你使用Net跟踪吗?:https://blogs.msdn.microsoft.com/dgorti/2005/09/18/using-system-net-tracing/ - Kiquenet
为什么要将 Expect100Continue = false,而不是 true - Kiquenet
1
非常感谢您提出此问题!对我来说,解决方案在Kiquenet的评论中:https://www.zdnet.com/article/microsoft-warns-of-problems-with-schannel-security-update/。 - eventhorizon
很高兴听到这个消息!回顾一下这个问题,我可能还有其他问题 - 我可能在另一个地方、在另一个线程中修改了ServicePointManager.SecurityProtocol。这是静态的,因此适用于整个应用程序域/进程。请记住这一点,并在此处查看详细信息:https://dev59.com/eF8d5IYBdhLWcg3w1VE1 - piotrwest
1个回答
3
从Schannel的角度来看,MessageAltered意味着:TLS1_ALERT_BAD_RECORD_MAC,根据RFC 5246:https://www.rfc-editor.org/rfc/rfc5246 的解释是:
bad_record_mac 如果收到一个带有不正确MAC的记录,则返回此警报。如果因为以无效方式解密TLSCiphertext而发送警报,则也必须返回此警报:它不是块长度的偶数倍,或者在检查时其填充值不正确。这条消息始终是致命的,并且在适当的实现之间的通信中永远不应该被观察到(除非网络中的消息已损坏)。
所接收的消息似乎以某种方式/形式损坏,导致解密失败。您可能需要联系服务器供应商来纠正他们的问题,或者如果您无法影响服务器人员,则可以重试请求-前提是随后的请求成功。
问题是在服务器端还是客户端?不是因为什么造成的吗?解决方案是重试。 - Kiquenet
如何在客户端捕获SSL/TLS的网络流量?即使没有NetMon,在Windows计算机上获取网络捕获也很容易且可脚本化。NetSh.exe是Windows网络的“瑞士军刀”,可用于收集网络跟踪。请参考以下链接:https://blogs.technet.microsoft.com/tspring/2015/02/23/poor-mans-guide-to-troubleshooting-tls-failures/ - Kiquenet
2
微软警告称,Schannel安全更新存在问题。 - Kiquenet
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接