我最近一直在尝试用C#创建一个SSL加密的服务器/客户端。
我已经在MSDN上关注了this教程,但是,它需要使用 makecert.exe 为服务器和客户端使用创建证书,所以我找到了一个示例,它创建了证书罚款:
makecert -sr LocalMachine -ss My -n“CN = Test”-sky exchange -sk 123456 c:/Test.cer
但现在问题是服务器启动并等待客户端,当客户端连接它时使用机器名,在这种情况下,我可以收集的是我的IP:
127.0.0.1
,然后它需要服务器名称,它必须与证书上的服务器名称匹配( Test.cer )。我尝试了多种组合(例如“测试”“LocalMachine”,“127.0.0.1”,但似乎无法让客户端服务器名称匹配,从而允许连接。我得到的错误是:
证书错误:RemoteCertificateNameMismatch,RemoteCertificateChainErrors 例外:根据验证程序
,远程证书无效
这里是我使用它的代码与MSDN示例的不同之处仅在于我在应用程序中为服务器分配证书路径以及客户端的机器名称和服务器名称:
SslTcpServer.cs
using System;
using System.Collections;
using System.Net;
using System.Net.Sockets;
using System.Net.Security;
using System.Security.Authentication;
using System.Text;
using System.Security.Cryptography.X509Certificates;
using System.IO;
namespace Examples.System.Net
{
public sealed class SslTcpServer
{
static X509Certificate serverCertificate = null;
// The certificate parameter specifies the name of the file
// containing the machine certificate.
public static void RunServer(string certificate)
{
serverCertificate = X509Certificate.CreateFromCertFile(certificate);
// Create a TCP/IP (IPv4) socket and listen for incoming connections.
TcpListener listener = new TcpListener(IPAddress.Any, 8080);
listener.Start();
while (true)
{
Console.WriteLine("Waiting for a client to connect...");
// Application blocks while waiting for an incoming connection.
// Type CNTL-C to terminate the server.
TcpClient client = listener.AcceptTcpClient();
ProcessClient(client);
}
}
static void ProcessClient(TcpClient client)
{
// A client has connected. Create the
// SslStream using the client's network stream.
SslStream sslStream = new SslStream(
client.GetStream(), false);
// Authenticate the server but don't require the client to authenticate.
try
{
sslStream.AuthenticateAsServer(serverCertificate,
false, SslProtocols.Tls, true);
// Display the properties and settings for the authenticated stream.
DisplaySecurityLevel(sslStream);
DisplaySecurityServices(sslStream);
DisplayCertificateInformation(sslStream);
DisplayStreamProperties(sslStream);
// Set timeouts for the read and write to 5 seconds.
sslStream.ReadTimeout = 5000;
sslStream.WriteTimeout = 5000;
// Read a message from the client.
Console.WriteLine("Waiting for client message...");
string messageData = ReadMessage(sslStream);
Console.WriteLine("Received: {0}", messageData);
// Write a message to the client.
byte[] message = Encoding.UTF8.GetBytes("Hello from the server.<EOF>");
Console.WriteLine("Sending hello message.");
sslStream.Write(message);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
sslStream.Close();
client.Close();
return;
}
finally
{
// The client stream will be closed with the sslStream
// because we specified this behavior when creating
// the sslStream.
sslStream.Close();
client.Close();
}
}
static string ReadMessage(SslStream sslStream)
{
// Read the message sent by the client.
// The client signals the end of the message using the
// "<EOF>" marker.
byte[] buffer = new byte[2048];
StringBuilder messageData = new StringBuilder();
int bytes = -1;
do
{
// Read the client's test message.
bytes = sslStream.Read(buffer, 0, buffer.Length);
// Use Decoder class to convert from bytes to UTF8
// in case a character spans two buffers.
Decoder decoder = Encoding.UTF8.GetDecoder();
char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];
decoder.GetChars(buffer, 0, bytes, chars, 0);
messageData.Append(chars);
// Check for EOF or an empty message.
if (messageData.ToString().IndexOf("<EOF>") != -1)
{
break;
}
} while (bytes != 0);
return messageData.ToString();
}
static void DisplaySecurityLevel(SslStream stream)
{
Console.WriteLine("Cipher: {0} strength {1}", stream.CipherAlgorithm, stream.CipherStrength);
Console.WriteLine("Hash: {0} strength {1}", stream.HashAlgorithm, stream.HashStrength);
Console.WriteLine("Key exchange: {0} strength {1}", stream.KeyExchangeAlgorithm, stream.KeyExchangeStrength);
Console.WriteLine("Protocol: {0}", stream.SslProtocol);
}
static void DisplaySecurityServices(SslStream stream)
{
Console.WriteLine("Is authenticated: {0} as server? {1}", stream.IsAuthenticated, stream.IsServer);
Console.WriteLine("IsSigned: {0}", stream.IsSigned);
Console.WriteLine("Is Encrypted: {0}", stream.IsEncrypted);
}
static void DisplayStreamProperties(SslStream stream)
{
Console.WriteLine("Can read: {0}, write {1}", stream.CanRead, stream.CanWrite);
Console.WriteLine("Can timeout: {0}", stream.CanTimeout);
}
static void DisplayCertificateInformation(SslStream stream)
{
Console.WriteLine("Certificate revocation list checked: {0}", stream.CheckCertRevocationStatus);
X509Certificate localCertificate = stream.LocalCertificate;
if (stream.LocalCertificate != null)
{
Console.WriteLine("Local cert was issued to {0} and is valid from {1} until {2}.",
localCertificate.Subject,
localCertificate.GetEffectiveDateString(),
localCertificate.GetExpirationDateString());
}
else
{
Console.WriteLine("Local certificate is null.");
}
// Display the properties of the client's certificate.
X509Certificate remoteCertificate = stream.RemoteCertificate;
if (stream.RemoteCertificate != null)
{
Console.WriteLine("Remote cert was issued to {0} and is valid from {1} until {2}.",
remoteCertificate.Subject,
remoteCertificate.GetEffectiveDateString(),
remoteCertificate.GetExpirationDateString());
}
else
{
Console.WriteLine("Remote certificate is null.");
}
}
public static void Main(string[] args)
{
string certificate = "c:/Test.cer";
SslTcpServer.RunServer(certificate);
}
}
}
SslTcpClient.cs
using System;
using System.Collections;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Text;
using System.Security.Cryptography.X509Certificates;
using System.IO;
namespace Examples.System.Net
{
public class SslTcpClient
{
private static Hashtable certificateErrors = new Hashtable();
// The following method is invoked by the RemoteCertificateValidationDelegate.
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
// Do not allow this client to communicate with unauthenticated servers.
return false;
}
public static void RunClient(string machineName, string serverName)
{
// Create a TCP/IP client socket.
// machineName is the host running the server application.
TcpClient client = new TcpClient(machineName, 8080);
Console.WriteLine("Client connected.");
// Create an SSL stream that will close the client's stream.
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
null
);
// The server name must match the name on the server certificate.
try
{
sslStream.AuthenticateAsClient(serverName);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
client.Close();
return;
}
// Encode a test message into a byte array.
// Signal the end of the message using the "<EOF>".
byte[] messsage = Encoding.UTF8.GetBytes("Hello from the client.<EOF>");
// Send hello message to the server.
sslStream.Write(messsage);
sslStream.Flush();
// Read message from the server.
string serverMessage = ReadMessage(sslStream);
Console.WriteLine("Server says: {0}", serverMessage);
// Close the client connection.
client.Close();
Console.WriteLine("Client closed.");
}
static string ReadMessage(SslStream sslStream)
{
// Read the message sent by the server.
// The end of the message is signaled using the
// "<EOF>" marker.
byte[] buffer = new byte[2048];
StringBuilder messageData = new StringBuilder();
int bytes = -1;
do
{
bytes = sslStream.Read(buffer, 0, buffer.Length);
// Use Decoder class to convert from bytes to UTF8
// in case a character spans two buffers.
Decoder decoder = Encoding.UTF8.GetDecoder();
char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];
decoder.GetChars(buffer, 0, bytes, chars, 0);
messageData.Append(chars);
// Check for EOF.
if (messageData.ToString().IndexOf("<EOF>") != -1)
{
break;
}
} while (bytes != 0);
return messageData.ToString();
}
public static void Main(string[] args)
{
string serverCertificateName = null;
string machineName = null;
/*
// User can specify the machine name and server name.
// Server name must match the name on the server's certificate.
machineName = args[0];
if (args.Length < 2)
{
serverCertificateName = machineName;
}
else
{
serverCertificateName = args[1];
}*/
machineName = "127.0.0.1";
serverCertificateName = "David-PC";// tried Test, LocalMachine and 127.0.0.1
SslTcpClient.RunClient(machineName, serverCertificateName);
Console.ReadKey();
}
}
}
编辑:
服务器接受客户端连接和所有内容,但在等待客户端发送消息时超时。 (由于证书中的服务器名称与我在客户端提供的服务器名称不同,客户端不会对服务器进行身份验证)以及我对此的想法只是为了澄清
更新:
根据答案,我已将证书制作人改为:
makecert -sr LocalMachine -ss My -n“CN = localhost”-sky exchange -sk 123456 c:/Test.cer 在我的客户中,我有:
machineName = "127.0.0.1";
serverCertificateName = "localhost";// tried Test, LocalMachine and 127.0.0.1
SslTcpClient.RunClient(machineName, serverCertificateName);
现在我得到了例外:
RemoteCertificateChainErrors 例外:根据验证程序
,远程证书无效
发生在这里:
// The server name must match the name on the server certificate.
try
{
sslStream.AuthenticateAsClient(serverName);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection. "+ e.Message);
client.Close();
return;
}
答案 0 :(得分:10)
答案可以在SslStream.AuthenticateAsClient Method备注部分找到:
为targetHost指定的值必须与服务器证书上的名称匹配。
如果您为服务器使用主题为“CN = localhost”的证书,则必须使用“localhost”作为targetHost参数调用AuthenticateAsClient,以在客户端成功对其进行身份验证。如果您使用“CN = David-PC”作为证书主题,则必须使用“David-PC”作为targetHost调用AuthenticateAsClient。 SslStream通过将要连接的服务器名称(以及传递给AuthenticateAsClient的服务器名称)与从服务器接收的证书中的主题进行匹配来检查服务器标识。实践是运行服务器的计算机名称与证书主题的名称相匹配,并且在客户端中,您将相同的主机名传递给AuthenticateAsClient,就像您用于打开连接一样(在本例中使用TcpClient)。
但是,在服务器和客户端之间成功建立SSL连接还有其他条件:传递给AuthenticateAsServer的证书必须具有私钥,它必须在客户端计算机上受信任,并且不得具有与建立使用相关的任何密钥使用限制SSL会话。
现在与您的代码示例相关,您的问题与证书的生成和使用有关。
您没有为证书提供颁发者,因此无法信任 - 这是RemoteCertificateChainErrors例外的原因。我建议为开发目的创建一个自签名证书,指定makecert的-r选项。
要信任,证书必须是自签名的,并且必须放在Windows证书存储区中的受信任位置,或者必须与已签名的证书颁发机构链接。因此,而不是-ss My选项将证书放在个人存储中,使用-ss root将其置于受信任的根证书颁发机构中,并且它将在您的计算机上受信任(从代码我假设您的客户端正在运行与服务器在同一台机器上,并在其上生成证书)。
如果将输出文件指定为makecert,则会将证书导出为.cer,但此格式仅包含公钥,而不包含服务器建立SSL连接所需的私钥。最简单的方法是从服务器代码中的Windows证书存储区中读取证书。 (您也可以使用另一种格式从商店中导出它,允许按照此处所述Export a certificate with the private key存储私钥,并在服务器代码中读取该文件。)
您可以在此处找到有关此处使用的makecert选项的详细信息Certificate Creation Tool (Makecert.exe)
总之,您的代码需要运行以下更改(使用您的最新代码更新进行测试):
makecert -sr LocalMachine -ss root -r -n“CN = localhost”-sky exchange -sk 123456
serverCertificate = X509Certificate.CreateFromCertFile(certificate);
在服务器代码中:
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", false);
store.Close();
if (certificates.Count == 0)
{
Console.WriteLine("Server certificate not found...");
return;
}
else
{
serverCertificate = certificates[0];
}
如果稍后更改代码,请记住将“CN = localhost”替换为您要使用的证书的主题(在这种情况下,应该与传递给makecert的-n选项的值相同)。还要考虑在服务器证书的主题中使用运行服务器而不是localhost的计算机名称。
答案 1 :(得分:5)
服务器证书的CN必须与服务器的域名完全相同。我想,在你的情况下,通用名称必须是“localhost”(没有引号)。
重要提示:当然,正如您可能已阅读其他答案一样,切勿在生产中使用CN="localhost"。
答案 2 :(得分:4)
首先,不要创建主题为“CN = localhost”或等效的证书。它永远不会用于生产,所以不要这样做。始终将其发布到您计算机的主机名,例如CN =“mycomputer”,并在连接到主机名而不是localhost时使用主机名。您可以使用“使用者替代名称”扩展名指定多个名称,但makecert似乎不支持此名称。
其次,在颁发服务器SSL证书时,需要将“服务器身份验证”OID添加到证书的增强型密钥用法(EKU)扩展中。在示例中将-eku 1.3.6.1.5.5.7.3.1参数添加到makecert。如果要进行客户端证书身份验证,请使用“客户端身份验证”OID 1.3.6.1.5.5.7.3.2。
最后,makecert创建的默认证书使用MD5作为其散列算法。 MD5被认为是不安全的,虽然它不会影响您的测试,但养成使用SHA1的习惯。将-a sha1添加到上面的makecert参数以强制使用SHA1。默认密钥大小也应该从1024位增加到2048位,但你明白了。
答案 3 :(得分:1)
要使其与WCF一起使用,必须首先创建自签名根证书颁发机构证书,然后使用它为localhost创建证书。
我认为同样适用于您的项目,请查看本文How to: Create Temporary Certificates for Use During Development了解详情。
答案 4 :(得分:1)
你试过了吗??
为example.net这样的完整域名创建证书(对于任何故意不是真名的内容,最好使用example.net,example.com或example.org)如果这是一个网站并且您知道它将是什么,将在实际使用中使用的名称。
更新您的hosts文件,以便它将使用127.0.0.1作为该名称。
答案 5 :(得分:1)
关于您的更新:
One of the SslStream constructors可让您提供RemoteCertificateValidationCallback delegate。您应该能够在您提供的方法中放置断点,以查看您获得的实际错误。检查发送的SslPolicyErrors值。