我正在为客户编写一个用C#编写的客户端程序。该程序连接到客户使用的服务,该服务需要客户端证书进行身份验证。尝试建立从客户端到服务的连接时,它失败(在下面记录)。我没有直接访问我们尝试连接的服务,因此我可以在本地进行最佳测试,然后向客户发送一个程序版本进行测试。
一些说明: - 我的代码在本地使用自签名证书为客户端和我放在一起的“模拟”服务器。 - 我正在使用HttpWebRequest.ClientCertificates.Add(...)来设置客户端证书。 - 目前我正在使用ServicePointManager.ServerCertificateValidationCallback来始终接受服务器证书(临时/只是试图暂时隔离到客户端证书问题)。 - 客户使用来自CA的证书作为其客户证书(即:不是自签名证书)。 - 客户端证书存储在p12文件中,我们的程序直接打开(不是从Windows证书管理器)。 - 基于其他一些日志记录,我的客户端证书正在加载正常并且有私钥。
以下是客户系统的日志。我真的不确定如何解释它。这条线似乎很重要:“我们有用户提供的证书。服务器指定了6个发行人。寻找与任何发行人匹配的证书。”这是否意味着客户端证书颁发者需要匹配服务器指定的颁发者之一?我怎样才能看到该列表是什么,它似乎不在任何地方的网络跟踪日志中(我可以看到客户端证书颁发者,但不是服务器所期望的发行者)。
System.Net Warning: 0 : [1272] The Registry value 'Software\Microsoft\Windows NT\CurrentVersion\InstallationType' was either empty or not a string type.
System.Net Information: 0 : [1272] Current OS installation type is 'Unknown'.
System.Net Verbose: 0 : [1272] WebRequest::Create(https://[redacted])
System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::HttpWebRequest(https://[redacted]#-921164489)
System.Net Information: 0 : [1272] RAS supported: True
System.Net Verbose: 0 : [1272] Exiting HttpWebRequest#27504314::HttpWebRequest()
System.Net Verbose: 0 : [1272] Exiting WebRequest::Create() -> HttpWebRequest#27504314
System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::GetRequestStream()
System.Net Information: 0 : [1272] Associating HttpWebRequest#27504314 with ServicePoint#46212239
System.Net Information: 0 : [1272] Associating Connection#13256970 with HttpWebRequest#27504314
System.Net Information: 0 : [1272] Connection#13256970 - Created connection from [redacted] to [redacted].
System.Net Information: 0 : [1272] TlsStream#52203868::.ctor(host=[redacted], #certs=1)
System.Net Information: 0 : [1272] Associating HttpWebRequest#27504314 with ConnectStream#72766
System.Net Verbose: 0 : [1272] Exiting HttpWebRequest#27504314::GetRequestStream() -> ConnectStream#72766
System.Net Verbose: 0 : [1272] ConnectStream#72766::Write()
System.Net Verbose: 0 : [1272] Data from ConnectStream#72766::Write
[redacted (xml)]
System.Net Verbose: 0 : [1272] Exiting ConnectStream#72766::Write()
System.Net Verbose: 0 : [1272] ConnectStream#72766::Close()
System.Net Verbose: 0 : [1272] Exiting ConnectStream#72766::Close()
System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::GetResponse()
System.Net Information: 0 : [1272] HttpWebRequest#27504314 - Request: POST [redacted] HTTP/1.1
System.Net Information: 0 : [1272] SecureChannel#5894079::.ctor(hostname=[redacted], #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [1272] Enumerating security packages:
System.Net Information: 0 : [1272] Negotiate
System.Net Information: 0 : [1272] Kerberos
System.Net Information: 0 : [1272] NTLM
System.Net Information: 0 : [1272] Schannel
System.Net Information: 0 : [1272] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [1272] WDigest
System.Net Information: 0 : [1272] DPA
System.Net Information: 0 : [1272] Digest
System.Net Information: 0 : [1272] MSN
System.Net Information: 0 : [1272] SecureChannel#5894079 - Attempting to restart the session using the user-provided certificate: [Version]
V3
[Subject]
CN=[redacted]
Simple Name: [redacted]
DNS Name: [redacted]
[Issuer]
CN=[redacted]
Simple Name: [redacted]
DNS Name: [redacted]
[Serial Number]
[redacted]
[Not Before]
5/8/2013 9:34:17 AM
[Not After]
4/28/2015 9:34:17 AM
[Thumbprint]
[redacted]
[Signature Algorithm]
[redacted]
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: [redacted]
System.Net Information: 0 : [1272] SecureChannel#5894079 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [1272] SecureChannel#5894079 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [1272] SecureChannel#5894079 - Locating the private key for the certificate: [Version]
V3
[Subject]
CN=[redacted]
Simple Name: [redacted]
DNS Name: [redacted]
[Issuer]
CN=[redacted]
Simple Name: [redacted]
DNS Name: [redacted]
[Serial Number]
[redacted]
[Not Before]
5/8/2013 9:34:17 AM
[Not After]
4/28/2015 9:34:17 AM
[Thumbprint]
[redacted]
[Signature Algorithm]
[redacted]
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: [redacted]
System.Net Information: 0 : [1272] SecureChannel#5894079 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [1272] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=77, returned code=ContinueNeeded).
System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [1272] SecureChannel#5894079 - We have user-provided certificates. The server has specified 6 issuer(s). Looking for certificates that match any of the issuers.
System.Net Information: 0 : [1272] SecureChannel#5894079 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [1272] Using the cached credential handle.
System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=317, returned code=ContinueNeeded).
System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown).
System.Net Error: 0 : [1272] Exception in the HttpWebRequest#27504314:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Error: 0 : [1272] Exception in the HttpWebRequest#27504314::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.
答案 0 :(得分:0)
这是否意味着客户端证书颁发者需要匹配其中一个 服务器指定的发行者?
是。服务器端日志消息看起来是非标准的,就像他们自己编写的那样,所以你可能想要检查它们。
如何查看该列表是什么
您可能无法直接,但很可能您需要将颁发者证书加载到服务器上的“受信任的颁发者”或“受信任的根权限”存储中。