问题描述
我的应用程序必须与不同的主机通过https,而 ServicePointManager.SecurityProtocol = TLS 的默认设置为我好了这一天。现在,我有一些它的主机(如 System.Net 跟踪日志所示)不回答初始TLS握手消息,但保持基本的连接打开,直到超时,扔超时异常。我试着设置的HttpWebRequest 的超时之多5分钟,具有相同的结果。 presumably这些主机都在等待一个SSL3握手,因为IE和火狐都能够在30-40秒钟的延迟后,连接到这些主机。似乎是在.NET这会降低TLS来SSL3一些备用机制,但它不会踢的某些原因。
My application has to talk to different hosts over https, and the default setting of ServicePointManager.SecurityProtocol = TLS served me well up to this day. Now I have some hosts which (as System.Net trace log shows) don't answer the initial TLS handshake message but keep the underlying connection open until it times out, throwing a timeout exception. I tried setting HttpWebRequest's timeout to as much as 5mins, with the same result. Presumably these hosts are waiting for an SSL3 handshake since both IE and Firefox are able to connect to these hosts after a 30-40 seconds' delay. There seems to be some fallback mechanism in .NET which degrades TLS to SSL3, but it doesn't kick in for some reason.
FWIW,这里的握手消息我的请求被发送(常规TLS 1.0客户端HELLO消息):
FWIW, here's the handshake message my request is sending (a regular TLS 1.0 CLIENT HELLO message):
00000000 : 16 03 01 00 57 01 00 00-53 03 01 4C 12 39 B4 F9 : ....W...S..L.9..
00000010 : A3 2C 3D EE E1 2A 7A 3E-D2 D6 0D 2E A9 A8 6C 03 : .,=..*z>......l.
00000020 : E7 8F A3 43 0A 73 9C CE-D7 EE CF 00 00 18 00 2F : ...C.s........./
00000030 : 00 35 00 05 00 0A C0 09-C0 0A C0 13 C0 14 00 32 : .5.............2
00000040 : 00 38 00 13 00 04 01 00-00 12 00 0A 00 08 00 06 : .8..............
00000050 : 00 17 00 18 00 19 00 0B-00 02 01 00 : ............
有没有办法使用SSL3,而不是TLS在一个特定的的HttpWebRequest ,或强制回退?看来, ServicePointManager 的设置是全球性的,我真的很讨厌不得不降低安全协议设置SSL3为整个应用程序。
Is there a way to use SSL3 instead of TLS in a particular HttpWebRequest, or force a fallback? It seems that ServicePointManager's setting is global, and I'd really hate to have to degrade the security protocol setting to SSL3 for the whole application.
推荐答案
其实, ServicePointManager 设置是每个应用程序域。这使我能够解决的问题,通过创建一个单独的应用程序域设置为只使用SSL3,让我的数据采集对象 MarshalByRefObject的(均 Web客户端和的WebRequest 是元帅按裁判,不过还好,减少跨AppDomain的调用次数),并创建它。工作完美结合的基于超时的检测方案。
Actually, ServicePointManager settings are per-appdomain. This enabled me to work around the problem by creating a separate appdomain set up to use only SSL3, making my data collection object MarshalByRefObject (both WebClient and WebRequest are marshal-by-ref, but better to reduce the number of cross-appdomain calls) and creating it there. Worked perfectly combined with a timeout-based detection scheme.
这篇关于如何使用SSL3代替TLS在一个特定的HttpWebRequest?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!