我想使用LDAP over TLSv1.2和.NET Framework 4.5.2或4.6.2查询ActiveDirectory(但两者都有问题).问题是它一直在尝试使用TLSv1.0,即使我使用的是“ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12”.
“System.DirectoryServices.Protocols”是否可以用于通过TLSv1.2查询LDAP?如果是这样,启用该TLS版本的正确方法是什么?
最终,我想从Web API 2控制器执行此操作,但作为重现问题的简单测试,我有以下控制台应用程序:
using System; using System.Diagnostics; using System.DirectoryServices.Protocols; using System.Net; namespace Ldap { class Program { private const string ldapHost = "169.254.212.120"; private const int ldapPort = 30389; // normally just 389 private const int ldapSslPort = 30636; // normally just 636 private const bool sslEnabled = true; private const string userBasedistinguishedname = "dc=example,dc=org"; private const string bindUserCommonName = "admin"; private const string bindUserdistinguishedname = "cn=admin,dc=example,dc=org"; private const string bindUserPassword = "admin"; static void Main(string[] args) { ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; using (LdapConnection connection = CreateConnection()) { try { connection.Bind(); } catch (Exception e) { Debug.WriteLine(e.Message); } } } private static LdapConnection CreateConnection() { var directoryIdentifier = new LdapDirectoryIdentifier(ldapHost,sslEnabled ? ldapSslPort : ldapPort,true,false); var credential = new NetworkCredential(bindUserdistinguishedname,bindUserPassword); var conn = new LdapConnection(directoryIdentifier,credential,AuthType.Basic); conn.Sessionoptions.SecureSocketLayer = sslEnabled; conn.Sessionoptions.ProtocolVersion = 3; // Use LDAPv3 (otherwise it appears to default to LDAPv2) return conn; } } }
对于服务器,我正在使用OpenLdap docker容器(暴露端口30389和30636,而不是标准端口)对此进行测试,尽管最终此代码将用于连接&查询ActiveDirectory.
为了站起来测试LDAP服务器,我碰巧使用(Docker 17.06 CE):
docker run --name test_ldap -p 0.0.0.0:30636:636 -p 0.0.0.0:30389:389 --env LDAP_TLS_CIPHER_SUITE="SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC" --env LDAP_TLS_VERIFY_CLIENT="allow" --hostname example.org --detach osixia/openldap:1.1.7
还运行Wireshark:在Wireshark中看到的流量显示“Client Hello”数据包中的“Version”是“TLS 1.0(0x0301)”.
打开的LDAP服务器中的日志显示:
59810624 conn=1002 fd=16 ACCEPT from IP=172.17.0.1:44606 (IP=0.0.0.0:636) TLS: can't accept: An unkNown public key algorithm was encountered.. 59810624 conn=1002 fd=16 closed (TLS negotiation failure)
解决方法
添加几个注册表项以启用TLS 1.2;以下PowerShell脚本添加它们:
New-Item 'HKLM:\SYstem\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYstem\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYstem\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'disabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
我在这里找到了这个信息:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
