问题
I took a working ASP.NET Core 2.2 app, upgraded it to 3.0 and suddenly the app no longer works in Windows Server 2012. It comes up with the following:
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
Chrome:
Firefox:
It seems that before I had to opt into HTTP/2 and now its the default along with HTTP1.1. There is a post here https://github.com/aspnet/AspNetCore/issues/14350 but that is totally confusing with no real solution.
I have tried all sorts of enabling / disabling insecure protocols but to no avail. Such as https://www.admin-enclave.com/de/articles-by-year/11-data-articles/website_articles/articles/exchange_articles/405-resolved-error-err_spdy_inadequate_transport_security-when-using-google-chome-and-owa.html
Works fine on Windows 10 due to what I assume more better protocol suite. But in Fiddler I checked and the only difference when negotiating with Kestrel is:
Windows Server 2012 R2:
[0A0A] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA9] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA8] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[009D] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
Windows 10:
[3A3A] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA9] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[CCA8] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[009D] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
The top line is different, but that is all. Not sure what is it, it is some GREASE value.
Program.cs:
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(opts => {
opts.ListenAnyIP(5000);
opts.ListenAnyIP(5001, listenOpts => {
listenOpts.UseHttps(new HttpsConnectionAdapterOptions {
ServerCertificate = new X509Certificate2("certificate-server.pfx", "...")
});
});
opts.Limits.MaxRequestBodySize = null;
})
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>();
}
Update
Seems I am on the right track thanks to @chris-pratt. Changing the certificate cipher to ECDSA_nistP256 make the web application work. But unfortunately I am using the cert to also sign the JWT tokens, and now that is broken with:
System.NotSupportedException: The certificate key algorithm is not supported. at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
The signing code is:
var privateKey = new X509SecurityKey(new X509Certificate2("certificate-server.pfx", "..."));
var token = new JwtSecurityToken(
issuer: "Sentry",
claims: claims,
notBefore: DateTime.Now,
expires: DateTime.Now.AddDays(1),
signingCredentials: new SigningCredentials(privateKey, SecurityAlgorithms.RsaSha256Signature));
return new JwtSecurityTokenHandler().WriteToken(token);
I tried changing the SecurityAlgorithms enum but did not get any success.
回答1:
Windows 2012 R2 does not support the cypher suites that are allowed for HTTP/2. I assume that starting with Core 3.0 the HTTP/2 protocol is enabled by default. I solved my problem by disabling HTTP/2 in kestrel as follows:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args).ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseKestrel(options =>
{
options.Listen(System.Net.IPAddress.Parse(DomainIp), 80);
options.Listen(System.Net.IPAddress.Parse(DomainIp), 443, l =>
{
l.UseHttps(
DomainCertificateFile,
DomainCertificatePassword);
l.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http1;
});
});
webBuilder.UseStaticWebAssets();
webBuilder.UseStartup<Startup>();
});
回答2:
I'll add further info that may be useful for others. In the case of IIS HTTP/2 support starts from Windows 10 and Windows Server 2016. See: HTTP/2 on IIS
However, you may encounter this problem in Windows 10 as well. In this case be advised to make sure if disabling HTTP/2 is really what you're looking for, especially with regards to security concerns. Let's refer to the GitHub thread the OP mentioned:
"This disables HTTP/2, and the "INADEQUATE_TRANSPORT_SECURITY" issue is an HTTP/2-specific issue, so while that works, it's not really a solution".
Source: GitHub discussion
To resolve this problem occurring under Windows 10, what is advised in the first place is making sure whether SSL Cipher Suite Order is correct.
To configure the SSL Cipher Suite Order group policy setting:
- At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
- Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
- Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
- In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
- Follow the instructions labelled How to modify this setting.
See: Prioritizing Schannel Cipher Suites
It may differ from default one and cause problems. Or if the default one causes problems, this is a place you can adjust it.
To circle back to the original issue. @hristijankiko sent us some great details (including a Wireshark trace that was very helpful). We identified that the server was selecting a cipher suite on the HTTP/2 block-list due to "inadequate security". It turns out this was a machine-level configuration issue caused by upgrading from earlier Windows versions. The fix was to manually configure the TLS cipher suites to match the new Windows 10 defaults (see https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903). It's curious that this was necessary even though @hristijankiko was using Windows 10 v1903 but we will check in on this internall. No further action on the original issue is needed in ASP.NET Core.
Source: further GitHub disscussion
Here you can check which TLS cipher suites and priority order are supported by a given Windows version:
Cipher Suites in TLS/SSL (Schannel SSP)
For both Windows Server 2012 R2 and Windows 8.1 supported cipher suites see:
TLS Cipher Suites in Windows 8.1
You can have a quick look at a selected cipher under security tab of developer tools:
来源:https://stackoverflow.com/questions/58188842/asp-net-core-3-0-app-not-working-on-windows-server-2012-r2-due-to-err-http2-inad