我使用了一个正常工作的ASP.NET Core 2.2应用程序,将其升级到3.0,突然该应用程序不再在Windows Server 2012中运行.它包含以下内容:
I took a working ASP.NET Core 2.2 app, upgraded it to 3.0 and suddenly the app no longer works in Windows Server 2012. It comes up with the following:
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
Chrome:
Firefox:
在我不得不选择加入HTTP/2之前,现在似乎是默认值以及HTTP1.1.这里有一个 github/aspnet/AspNetCore/issues/14350 的帖子,但没有真正的解决方案,这完全令人困惑.
It seems that before I had to opt into HTTP/2 and now its the default along with HTTP1.1. There is a post here github/aspnet/AspNetCore/issues/14350 but that is totally confusing with no real solution.
我尝试了各种启用/禁用不安全协议的方法,但无济于事.例如 www.admin-enclave/de/articles-by-year/11-data-articles/website_articles/articles/exchange_articles/405-resolved-error-err_spdy_inadequate_transport_security-when-using-google-chome-and-owa.html
I have tried all sorts of enabling / disabling insecure protocols but to no avail. Such as www.admin-enclave/de/articles-by-year/11-data-articles/website_articles/articles/exchange_articles/405-resolved-error-err_spdy_inadequate_transport_security-when-using-google-chome-and-owa.html
由于我认为更好的协议套件,因此在Windows 10上运行良好.但是在Fiddler中,我检查了一下,与Kestrel进行谈判的唯一区别是:
Works fine on Windows 10 due to what I assume more better protocol suite. But in Fiddler I checked and the only difference when negotiating with Kestrel is:
Windows Server 2012 R2:
Windows Server 2012 R2:
[0A0A] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [1301] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [1302] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [1303] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C02F] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C030] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [CCA9] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [CCA8] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [009C] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [009D] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [002F] TLS_RSA_AES_128_SHA [0035] TLS_RSA_AES_256_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHAWindows 10:
Windows 10:
[3A3A] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [1301] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [1302] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [1303] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C02F] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C030] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [CCA9] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [CCA8] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [009C] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [009D] Unrecognized cipher - See www.iana/assignments/tls-parameters/ [002F] TLS_RSA_AES_128_SHA [0035] TLS_RSA_AES_256_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA最上面的一行是不同的,仅此而已.不知道这是什么,它是一些 GREASE 值.
The top line is different, but that is all. Not sure what is it, it is some GREASE value.
Program.cs:
Program.cs:
public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseKestrel(opts => { opts.ListenAnyIP(5000); opts.ListenAnyIP(5001, listenOpts => { listenOpts.UseHttps(new HttpsConnectionAdapterOptions { ServerCertificate = new X509Certificate2("certificate-server.pfx", "...") }); }); opts.Limits.MaxRequestBodySize = null; }) .UseContentRoot(Directory.GetCurrentDirectory()) .UseStartup<Startup>(); }更新
由于@ chris-pratt,我似乎走在正确的轨道上.将证书密码更改为 ECDSA_nistP256 可使Web应用程序正常工作.但是不幸的是,我还在使用证书来签名JWT令牌,现在它被打破了:
Update
Seems I am on the right track thanks to @chris-pratt. Changing the certificate cipher to ECDSA_nistP256 make the web application work. But unfortunately I am using the cert to also sign the JWT tokens, and now that is broken with:
System.NotSupportedException:证书密钥算法不正确支持的.在System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
System.NotSupportedException: The certificate key algorithm is not supported. at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
签名代码为:
var privateKey = new X509SecurityKey(new X509Certificate2("certificate-server.pfx", "...")); var token = new JwtSecurityToken( issuer: "Sentry", claims: claims, notBefore: DateTime.Now, expires: DateTime.Now.AddDays(1), signingCredentials: new SigningCredentials(privateKey, SecurityAlgorithms.RsaSha256Signature)); return new JwtSecurityTokenHandler().WriteToken(token);我尝试更改 SecurityAlgorithms 枚举,但未成功.
I tried changing the SecurityAlgorithms enum but did not get any success.
推荐答案Windows 2012 R2不支持HTTP/2允许的密码套件.我假设从Core 3.0开始,默认情况下启用了HTTP/2协议.我通过在kestrel中禁用HTTP/2来解决我的问题,如下所示:
Windows 2012 R2 does not support the cypher suites that are allowed for HTTP/2. I assume that starting with Core 3.0 the HTTP/2 protocol is enabled by default. I solved my problem by disabling HTTP/2 in kestrel as follows:
public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args).ConfigureWebHostDefaults(webBuilder => { webBuilder.UseKestrel(options => { options.Listen(System.Net.IPAddress.Parse(DomainIp), 80); options.Listen(System.Net.IPAddress.Parse(DomainIp), 443, l => { l.UseHttps( DomainCertificateFile, DomainCertificatePassword); l.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http1; }); }); webBuilder.UseStaticWebAssets(); webBuilder.UseStartup<Startup>(); });更多推荐
由于ERR
发布评论