案例:
- 几天前,我们的集成合作伙伴错过了更改SSL服务器证书的最后期限,该证书的有效期是两天前
- 当这种情况发生时,我们的客户端软件开始抛出异常:"根据验证过程,远程证书无效"。我们的客户端软件是用.NET 4编写的,运行在Windows Server 2012上。SSL调用是通过WCF堆栈完成的
- 昨天下午,我们的集成合作伙伴安装了一个新的有效SSL证书
现在的问题是,我们仍然在客户端上得到相同的异常:"根据验证过程,远程证书无效"。
我的问题:
- SSL证书验证状态是否以某种方式缓存在客户端上?我们的客户端软件是一个长期运行的过程,很少重新启动
- 或者这是SSL协议的固有部分?我不是SSL或网络方面的专家,但a)只有在SSL握手期间,客户端才会检查服务器证书,b)SSL握手中交换的信息可以用于对同一服务器进行的多个网络请求,这不是真的吗?如果这确实是真的,那么如何定义SSL握手的有效期
更新:我们重新启动了客户端进程,然后它就工作了。对我来说,这表明某些SSL服务器证书验证状态是按进程缓存在客户端上的。我仍然非常想了解更多关于这方面的细节:这是在堆栈的哪个级别上发生的?WCF。NET?Windows API?缓存多长时间?有什么方法可以调整缓存行为吗?我可以手动清空缓存吗?这有记录吗?
全栈跟踪:
[E0]: The remote certificate is invalid according to the validation procedure.
[T0]: System.Security.Authentication.AuthenticationException at
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message,
AsyncProtocolRequest asyncRequest, Exception exception) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count,
AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[]
buffer, AsyncProtocolRequest asyncRequest) at
System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext
executionContext, ContextCallback callback, Object state, Boolean
preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state, Boolean
preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state) at
System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at
System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at
System.Net.ConnectStream.WriteHeaders(Boolean async) [E1]: The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. [T1]: System.Net.WebException at
System.Net.HttpWebRequest.GetResponse() at
System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannel
Request.WaitForReply(TimeSpan timeout) [E2]: Could not establish trust
relationship for the SSL/TLS secure channel with authority
'***removed***'. [T2]:
System.ServiceModel.Security.SecurityNegotiationException
我遇到了同样的问题。我正在使用本地根CA证书验证TLS。如果我从存储中删除了证书,则连续的请求(使用HttpWebRequest)将继续验证是否每隔几秒钟调用一次。但如果我等了很短时间(30-60秒),下一个调用就会失败,因为它找不到根证书
将HttpWebRequest.KeepAlive属性设置为false以防止缓存。为了获得更多的控制权,看起来你必须开始反思。请参阅问题"如何清除客户端.Net SSL会话缓存"。