IIS 10和HTTP/2 -需要客户端证书
目前,我正在使用HTTP1.1和HTTP/2在IIS 10上测试web应用程序。我的测试应用程序有一个端点(/api/ test ),它只返回“true”。我有3份证书:
- 根CA (自签名)
- 由根CA签名的服务器证书
- 由根CA签名的客户端证书
安装在Windows 2016上的根CA和服务器证书,以及配置为使用服务器证书侦听https://example.net:8081/的IIS网站。此外,我将网站配置为需要客户端证书(这对我的测试非常重要,我需要服务器/客户端证书验证)。
我通过curl测试我的应用程序,对于http1.1来说,一切都很好。
命令:
curl.exe --http1.1 --get --url https://example.net:8081/api/test --cacert E:\ca.pem --cert E:\client.pem --key E:\client.key --cert-type PEM --verbose输出:
* TCP_NODELAY set
* Connected to example.net port 8081 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: E:\ca.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate: XXX
* SSL certificate verify ok.
> GET /api/test HTTP/1.1
> Host: example.net:8081
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
< HTTP/1.1 200 OK
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=utf-8
< Server: Kestrel
< Date: Tue, 18 Sep 2018 13:45:35 GMT
<
true* Connection #0 to host abrakadabra.cranecs.net left intact但是,如果我尝试使用http/2发送请求,则在服务器证书验证之后,请求将失败。
命令:
curl.exe --http2 --get --url https://example.net:8081/api/test --cacert E:\ca.pem --cert E:\client.pem --key E:\client.key --cert-type PEM --verbose输出:
* TCP_NODELAY set
* Connected to example.net port 8081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: E:\ca.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate: XXX
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1f635299100)
> GET /api/test HTTP/2
> Host: example.net:8081
> User-Agent: curl/7.61.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)
* stopped the pause stream!
* Connection #0 to host example.net left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)在IIS日志中,我看到接下来的记录:
2018-09-18 13:46:00 172.32.0.193 GET /api/test - 8081 - 134.17.25.89 HTTP/1.1 curl/7.61.1 - 200 0 0 421
2018-09-18 13:55:01 172.32.0.193 GET /api/test - 8081 - 134.17.25.89 HTTP/2.0 curl/7.61.1 - 403 7 64 0因此,对于http/2,似乎没有客户端证书(403.7状态代码)。
最后,如果我只是在IIS站点设置中更改“require certificate”以“忽略客户端证书”- http1.1和http/2都可以。
如何在IIS上使用HTTP/2的客户端证书?
回答 3
Stack Overflow用户
发布于 2018-09-20 08:15:07
经过几个小时的研究,我发现IIS 10目前不支持带有客户端证书验证的HTTP/2。
在少数情况下,HTTP/2不能与其他特性结合使用。在这种情况下,Windows将返回到HTTP/1.1并继续事务。这可能包括在握手期间协商HTTP/1.1,或者向客户端发送错误代码,指示它通过HTTP/1.1连接重试。
我将我的服务器重新配置为使用nginx而不是IIS作为应用程序的代理,所有这些都很好。
Stack Overflow用户
发布于 2022-05-27 07:42:51
我也无意中发现了这个问题,在阅读了这信息之后,我发现您需要启用绑定级别的“协商客户端证书”。
Stack Overflow用户
发布于 2021-07-20 22:11:34
我在Server2022中使用IIS10建立了一个DotNet Framework4.8网站,并打开了require证书。他干得很好。启用TLS1.3的浏览器没有(试用了Edge和Chrome)。Wireshark捕获显示在握手过程中重新设置连接。在对网站绑定进行编辑之后,我发现为了使其工作,我可以启用TLS 1.3或HTTP/2,但当需要客户端证书和使用启用TLS1.3的客户端时,两者都不能启用。
希望有一天微软能帮我们解决这个问题。
https://stackoverflow.com/questions/52388471
复制相似问题
腾讯云开发者
