随机请求已中止:无法创建SSL/TLS安全通道.返回的代码= MessageAltered
问题描述:
在大约一千个HTTPS请求中,有一个抛出了以下异常:
In one out of around a thousand HTTPS requests, following exception is thrown:
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadString(Uri address)
来自 System.Net 的日志如下:
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating HttpWebRequest#37618637 with ServicePoint#28841767
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating Connection#16407032 with HttpWebRequest#37618637
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net.Sockets | [2688] Socket#42531032 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Connection#16407032 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] TlsStream#54603865::.ctor(host=www.remoteservice.com, #certs=0)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating HttpWebRequest#37618637 with ConnectStream#27023101
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] HttpWebRequest#37618637 - Request: GET /api/v3/method HTTP/1.1
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] ConnectStream#27023101 - Sending headers
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] SecureChannel#66031633::.ctor(hostname=www.remoteservice.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] SecureChannel#66031633 - Left with 0 client certificates to choose from.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Using the cached credential handle.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=379, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.4937 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=574, returned code=ContinueNeeded).
2016-09-20 15:10:17.5562 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.5562 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=MessageAltered).
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637:: - The request was aborted: Could not create SSL/TLS secure channel..
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637:: - The request was aborted: The request was canceled..
InitializeSecurityContext结尾于以下行:
The InitializeSecurityContext ends up with line:
InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=MessageAltered)
为进行比较,这是成功的HTTPS调用之一:
To compare, here is one of the successful HTTPS calls:
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ServicePoint#28841767
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating Connection#23643787 with HttpWebRequest#23767080
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net.Sockets | [1900] Socket#66957105 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Connection#23643787 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] TlsStream#51402822::.ctor(host=www.remoteservice.com, #certs=0)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ConnectStream#55741749
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] HttpWebRequest#23767080 - Request: GET /api/v3/method/123 HTTP/1.1
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] ConnectStream#55741749 - Sending headers
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] SecureChannel#20739431::.ctor(hostname=www.remoteservice.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] SecureChannel#20739431 - Left with 0 client certificates to choose from.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Using the cached credential handle.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=379, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.3190 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=574, returned code=ContinueNeeded).
2016-09-20 15:11:22.3815 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] Remote certificate: [Version] V3 (more info on certificate here)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] SecureChannel#20739431 - Remote certificate was verified as valid by the user.
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] ProcessAuthentication(Protocol=Tls12, Cipher=Aes256 256 bit strength, Hash=32781 0 bit strength, Key Exchange=DiffieHellman 4096 bit strength).
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Connection#23643787 - Received status line: Version=1.1, StatusCode=200, StatusDescription=OK.
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Connection#23643787 - Received headers
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] ConnectStream#43287324::ConnectStream(Buffered -1 bytes.)
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ConnectStream#43287324
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with HttpWebResponse#32954516
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] ContentLength=-1
ServicePointManager的配置如下:
The ServicePointManager is configured as follows:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
ServicePointManager.Expect100Continue = false;
ServicePointManager.DefaultConnectionLimit = 24;
.NET Framework版本为4.5.
The .NET framework version is 4.5.
您知道为什么会发生这种情况吗?
Do you have any idea why this may happen?
答
从Schannel角度看,MessageAltered表示:TLS1_ALERT_BAD_RECORD_MAC,根据RFC 5246: https://tools.ietf.org/html/rfc5246 表示:
From a Schannel perspective, MessageAltered means: TLS1_ALERT_BAD_RECORD_MAC which as per RFC 5246: https://tools.ietf.org/html/rfc5246 means:
bad_record_mac 如果收到记录不正确的记录,则返回此警报 苹果电脑.如果发送了警报,则还必须返回此警报,因为 以无效方式解密的TLSCiphertext:不是 甚至是块长度或其填充值的倍数时 检查,不正确.此消息始终是致命的,应该 在适当的实现之间的沟通中永远不会被观察到 (邮件在网络中损坏时除外).
bad_record_mac This alert is returned if a record is received with an incorrect MAC. This alert also MUST be returned if an alert is sent because a TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length, or its padding values, when checked, weren't correct. This message is always fatal and should never be observed in communication between proper implementations (except when messages were corrupted in the network).
接收到的消息似乎以某种方式/形式被破坏,从而导致错误-因为无法执行解密.您可能必须与服务器供应商联系以纠正他们的问题,或者如果您不能影响服务器人员,请重试该请求-如果后续请求成功.
The received message appears to be corrupted in some way/form leading to the error - because the decrypt cannot be performed. You'll probably have to contact the server vendor to correct their side of the problem or if you can't influence the server people then, retry the request - provided the subsequent request succeeds.