【发布时间】:2020-03-14 01:00:56
【问题描述】:
我们有一个 WCF 客户端和服务器,它们通过流传输模式的 WCF NetTcpBinding 进行通信,其中客户端使用这些相关设置设置 WCF NetTcpBInding:
TransferMode = TransferMode.Streamed
Security.Mode = SecurityMode.Transport
Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate
Security.Transport.SslProtocols = System.Security.Authentication.SslProtocols.None
根据https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls,SslProtocols.None 确保 WCF 在使用 NetTcp 传输时使用操作系统默认设置。
我们所有的 Windows 主机都配置为仅允许 TLS 1.2。这已使用 Windows 注册表进行配置,并将所有服务器和客户端密钥设置为禁用 SSL 2.0、SSL 3.0n TLS 1.0 和 TLS 1.1,并仅在以下位置为 TLS 1.2 启用:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols,如https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings 所述。
此外,我们的 WCF 客户端和服务器的 app.config 文件包含此运行时条目(如 https://docs.microsoft.com/en-us/configmgr/core/plan-design/security/enable-tls-1-2 中所述):
<configuration>
<runtime>
<AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" />
</runtime>
</configuration>
当 WCF 客户端在 Windows 10(内部版本 1809)上运行,而服务器在 Windows Server 2019 LTSC、.NET 版本 4.7.2 上运行时,WCF 通信工作正常。
当 WCF 客户端和服务器都在 Windows Server 2019 LTSC、.NET 4.7.2 上运行时,通信失败并出现以下异常:
Message: A call to SSPI failed, see inner exception.
Title:The file information could not be gathered.
Inner Exception 1: A call to SSPI failed, see inner exception.
Inner Exception 2: The client and server cannot communicate, because they do not possess a common algorithm
Server stack trace:
at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.StreamedFramingRequestChannel.SendPreamble(IConnection connection, TimeoutHelper& timeoutHelper, ClientFramingDecoder decoder, SecurityMessageProperty& remoteSecurity)
at System.ServiceModel.Channels.StreamedFramingRequestChannel.StreamedConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.StreamedFramingRequestChannel.StreamedFramingRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
我们能够通过在设置客户端 NetTcpBinding 时显式设置 Security.Transport.SslProtocols 来解决问题,而不是让操作系统来决定,如下所示:
Security.Transport.SslProtocols = System.Security.Authentication.SslProtocols.Tls12 Or System.Security.Authentication.SslProtocols.Tls11 Or System.Security.Authentication.SslProtocols.Tls Or System.Security.Authentication.SslProtocols.Ssl3
我们不明白为什么此解决方案有效,因为我们希望此修复与让操作系统选择具有相同的效果。
在所有主机上仅允许 TLS 1.2 的情况下,当客户端和服务器都在 Windows Server 2019 上运行而不是客户端在 Windows 10 上运行时,通信怎么会失败?没有什么比 TLS 1.2 默认的了。 如何调查 Windows 默认使用哪种协议?
【问题讨论】: