Не удалось создать безопасный канал SSL / TLS, поскольку веб-служба партнера обновлена ​​с использованием System.Net и проверки подлинности сертификата клиента.

Question

У нас есть приложение, которое используется для вызова веб-службы, защищенной SSL-сертификатом клиента.Наш партнер обновил свой шлюз, и после этого обновления мы больше не можем вызывать их веб-сервис.

Вот код c #, который раньше работал

    ServicePointManager.ServerCertificateValidationCallback = (s, c, h, p) => { return true; };
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
    var req = (HttpWebRequest)WebRequest.Create(requestUrl);
    req.Method = "POST";
    req.ContentType = "application/json";
    req.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
    req.ClientCertificates.Add(new X509Certificate2(CertificatePath, Password));
    var byteContent = Encoding.UTF8.GetBytes(content);
    req.ContentLength = byteContent.Length;
    req.Proxy = new WebProxy("***PROXY-URL***");
    req.AllowAutoRedirect = true;
    using (var requestStream = req.GetRequestStream())//Exception here: 

Вот System.Netтрассировка:

System.Net Information: 0 : [5564] Current OS installation type is 'Server'.
System.Net Verbose: 0 : [5564] Entering WebRequest::Create(***WEBSERVICEURL***)
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#16639474::HttpWebRequest(***WEBSERVICEURL***#100646014)
System.Net Information: 0 : [5564] RAS supported: True
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#16639474::HttpWebRequest() 
System.Net Verbose: 0 : [5564] Exiting WebRequest::Create()     -> HttpWebRequest#16639474
System.Net Verbose: 0 : [5564] Entering ServicePoint#5620158::ServicePoint(***PROXYURL***)
System.Net Information: 0 : [5564] Associating HttpWebRequest#16639474 with ServicePoint#5620158
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#16639474::GetRequestStream()
System.Net Information: 0 : [5564] Associating Connection#52579650 with HttpWebRequest#16639474
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#3454809::HttpWebRequest(***PROXYURL***/#589308768)
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#3454809::HttpWebRequest() 
System.Net Verbose: 0 : [5564] Entering ServicePoint#31093287::ServicePoint(***PROXYURL***)
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ServicePoint#31093287
System.Net Verbose: 0 : [5564] Entering HttpWebRequest#3454809::GetResponse()
System.Net Information: 0 : [5564] Associating Connection#11404133 with HttpWebRequest#3454809
System.Net Information: 0 : [5564] Connection#11404133 - Created connection from ***MY-IP***:56660 to ***PROXY-IP***.
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ConnectStream#35528341
System.Net Information: 0 : [5564] HttpWebRequest#3454809 - Request: CONNECT ***WEBSERVICE-HOST***:443 HTTP/1.1

System.Net Information: 0 : [5564] ConnectStream#35528341 - Sending headers
{
Host: ***WEBSERVICE-HOST***
Proxy-Connection: Keep-Alive
}.
System.Net Information: 0 : [5564] Connection#11404133 - Received status line: Version=1.1, StatusCode=200, StatusDescription=Connection established.
System.Net Information: 0 : [5564] Connection#11404133 - Received headers
{

}.
System.Net Information: 0 : [5564] ConnectStream#51319614::ConnectStream(Buffered -1 bytes.)
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with ConnectStream#51319614
System.Net Information: 0 : [5564] Associating HttpWebRequest#3454809 with HttpWebResponse#59223347
System.Net Verbose: 0 : [5564] Exiting HttpWebRequest#3454809::GetResponse()    -> HttpWebResponse#59223347
System.Net Verbose: 0 : [5564] Entering HttpWebResponse#59223347::GetResponseStream()
System.Net Information: 0 : [5564] ContentLength=-1
System.Net Verbose: 0 : [5564] Exiting HttpWebResponse#59223347::GetResponseStream()    -> ConnectStream#51319614
System.Net Information: 0 : [5564] TlsStream#63248075::.ctor(host=***WEBSERVICE-HOST***, #certs=1, checkCertificateRevocationList=False, sslProtocols=Tls12)
System.Net Information: 0 : [5564] Associating HttpWebRequest#16639474 with ConnectStream#32361769
System.Net Information: 0 : [5564] HttpWebRequest#16639474 - Request: POST /WebServiceTarification/v1/Calcul HTTP/1.1

System.Net Information: 0 : [5564] ConnectStream#32361769 - Sending headers
{
Content-Type: application/json
Host: ***WEBSERVICE-HOST***
Content-Length: 686
Expect: 100-continue
Connection: Keep-Alive
}.
System.Net Information: 0 : [5564] SecureChannel#22820469::.ctor(hostname=***WEBSERVICE-HOST***, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] Enumerating security packages:
System.Net Information: 0 : [5564]     Negotiate
System.Net Information: 0 : [5564]     NegoExtender
System.Net Information: 0 : [5564]     Kerberos
System.Net Information: 0 : [5564]     NTLM
System.Net Information: 0 : [5564]     Schannel
System.Net Information: 0 : [5564]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [5564]     WDigest
System.Net Information: 0 : [5564]     TSSSP
System.Net Information: 0 : [5564]     pku2u
System.Net Information: 0 : [5564]     CREDSSP
System.Net Information: 0 : [5564] SecureChannel#22820469 - Attempting to restart the session using the user-provided certificate: [Version]
  V1

[Subject]
  E=***WS-EMAIL***, CN=***MY-COMPANY***, OU=***SOME-WS-OU***, O=***SOME-WS-O***, L=Bruxelles, S=Bruxelles, C=BE
  Simple Name: ***MY-COMPANY***
  Email Name: ***WS-EMAIL***
  DNS Name: ***MY-COMPANY***

[Issuer]
  E=***WS-EMAIL***, CN=***SOME-WS-COMPANY-HOSTNAME***, OU=***SOME-WS-OU***, O=***SOME-WS-O***, L=Bruxelles, S=Bruxelles, C=BE
  Simple Name: ***SOME-WS-COMPANY-HOSTNAME***
  Email Name: ***WS-EMAIL***
  DNS Name: ***SOME-WS-COMPANY-HOSTNAME***

[Serial Number]
  ***SERIALNUMBER**

[Not Before]
  7/5/2016 11:39:44 AM

[Not After]
  7/3/2026 11:39:44 AM

[Thumbprint]
  ***THUMBPRINT**

[Signature Algorithm]
  sha512RSA(1.2.840.113549.1.1.13)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: ***KEYBLOB**
System.Net Information: 0 : [5564] SecureChannel#22820469 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Locating the private key for the certificate: 
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5564] SecureChannel#22820469::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=198, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5564] SecureChannel#22820469 - We have user-provided certificates. The server has not specified any issuers, so try all the certificates.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Selected certificate: 
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5564] SecureChannel#22820469 - Locating the private key for the certificate: 
***CERTIFICATE***
System.Net Information: 0 : [5564] SecureChannel#22820469 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5564] SecureChannel#22820469::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [5564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=189, returned code=ContinueNeeded).
System.Net Information: 0 : [5564] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 105dc48:104e560, targetName = ***WEBSERVICE-HOST***, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [5564] Exception in HttpWebRequest#16639474:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [5564] Exception in HttpWebRequest#16639474::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

Я использую .Net 4.6.2 на Windows Server 2012, но могу воспроизвести его с .Net Core 2.2

На основании того, что я видел в wireshark, этокажется, что код больше не отправляет клиентский сертификат, даже если он настроен в хранилище сертификатов.Спасибо за вашу помощь.

РЕДАКТИРОВАТЬ: мне удалось заставить его работать, используя TLS 1.1 вместо TLS 1.2.:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;

Но остается вопрос, почему он не работает с TLS1.2 и у меня это сообщение об ошибке:

System.Net Information: 0 : [5564] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).