安之偌素 2020-01-07
参考地址:https://github.com/dotnet/corefx/issues/40538
According to https://www.ssllabs.com/ssltest/analyze.html?d=api-fxpractice.oanda.com their key exchanges are preferring DHE-1024 over ECDHE. Using the guidance from NIST SP 800-57, a 1024-bit DHE key has 80 bits of security (or smaller).
Debian Buster has raised the OpenSSL TLS security level to 2 (https://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#openssl-defaults), which requires DHE at 2048-bit or higher (112 bits of security).
Theoretically, editing /etc/ssl/openssl.cnf and setting CipherString = DEFAULT:@SECLEVEL=1
will change the security level back to 1.
看起来貌似是debian的安全级别提高了,但是我的应用在.net core 2.2是没有报这个错误的。
解决方式是在dockerfile加上命令
RUN sed -i "s|=2|=1|g" /etc/ssl/openssl.cnf
perl Configure VC-WIN64A --prefix=C:\openssl_x64 no-asm no-shared enable-tlsext enable-static-engine