我有由IIS托管的WCF REST Web服务,它适用于HTTPS,我在IIS上生成证书并将Https分配给端口
我通过IE浏览器生成cer。我创建一个测试应用程序,无论是否添加客户端证书,甚至添加错误的证书,连接发生,我得到正确的响应。我想知道如果没有发送证书,邮件是如何被解密的。
目的地没有安全或我误解了整个事情。 还
我从回调“CheckValidationResult()”得到的错误也是 CertCN_NO_MATCH = 0x800B010F 要么 “未知证书问题”,对于这种情况,certificateProblem(CheckValidationResult的参数)为0
什么是CertCN_NO_MATCH eror,什么是CN?
见下面的代码。
ServicePointManager.CertificatePolicy = new CertPolicy();
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(String.Format("https://{0}/uri", ip));
//request.ClientCertificates.Add(new X509Certificate("D:\\ThePubKey.cer"));
request.ContentType = "application/x-www-form-urlencoded";
request.Method = "POST";
using (StreamWriter stream = new StreamWriter(request.GetRequestStream()))
{
stream.Write("RequestType=CheckStatus&ReportType=Fulfillment&ReportID=5");
}
using (StreamReader stream = new StreamReader(request.GetResponse().GetResponseStream()))
{
Response.ContentType = "text/xml";
Response.Output.Write(stream.ReadToEnd());
Response.End();
}
class CertPolicy : ICertificatePolicy
{
public enum CertificateProblem : uint
{
CertEXPIRED = 0x800B0101,
CertVALIDITYPERIODNESTING = 0x800B0102,
CertROLE = 0x800B0103,
CertPATHLENCONST = 0x800B0104,
CertCRITICAL = 0x800B0105,
CertPURPOSE = 0x800B0106,
CertISSUERCHAINING = 0x800B0107,
CertMALFORMED = 0x800B0108,
CertUNTRUSTEDROOT = 0x800B0109,
CertCHAINING = 0x800B010A,
CertREVOKED = 0x800B010C,
CertUNTRUSTEDTESTROOT = 0x800B010D,
CertREVOCATION_FAILURE = 0x800B010E,
CertCN_NO_MATCH = 0x800B010F,
CertWRONG_USAGE = 0x800B0110,
CertUNTRUSTEDCA = 0x800B0112
}
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
{
// You can do your own certificate checking.
// You can obtain the error values from WinError.h.
// Return true so that any certificate will work with this sample.
String error = "";
using (StringWriter writer = new StringWriter())
{
writer.WriteLine("Certificate Problem with accessing " + request.RequestUri);
writer.Write("Problem code 0x{0:X8},", (int)certificateProblem);
writer.WriteLine(GetProblemMessage((CertificateProblem)certificateProblem));
error = writer.ToString();
}
return true;
}
private String GetProblemMessage(CertificateProblem Problem)
{
String ProblemMessage = "";
CertificateProblem problemList = new CertificateProblem();
String ProblemCodeName = Enum.GetName(problemList.GetType(), Problem);
if (ProblemCodeName != null)
ProblemMessage = ProblemMessage + "-Certificateproblem:" +
ProblemCodeName;
else
ProblemMessage = "Unknown Certificate Problem";
return ProblemMessage;
}
}
答案 0 :(得分:1)
我刚回复this similar question (in Java)。
CN是“通用名称”。它应该是您要连接的服务器的主机名(除非它在主题备用名称中)。我想从您的代码示例中直接使用IP地址。在这种情况下,CN应该是IP地址(使用主机名而不是IP地址往往更好)。有关规格,请参阅RFC 2818 (sec 3.1)。
请注意,CN或主题备用名称是从客户端的角度来看的,因此如果您连接到https://some.example.com/,则证书中的名称应为some.example.com,如果您连接到https://localhost/,然后证书中的名称应该是localhost,即使some.example.com和localhost可能是有效的同一服务器。 (我想默认情况下,IIS可能会为外部名称生成证书,但您必须查看要知道的证书;这应该在某处的证书属性中可见。)