我正在尝试编写代码来验证SSL证书,如下所示;
HttpWebRequest request =
HttpWebRequest)WebRequest.Create("https://www.someurl.com");
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
response.Close();
X509Certificate cert = request.ServicePoint.Certificate;
var cert2 = new X509Certificate2(cert);
X509Chain chain = new X509Chain();
X509ChainPolicy chainPolicy = new X509ChainPolicy()
{
RevocationMode = X509RevocationMode.Online,
RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
if (!chain.Build(cert2))
{
foreach (X509ChainElement chainElement in chain.ChainElements)
{
foreach (X509ChainStatus chainStatus in chainElement.ChainElementStatus)
{
Console.WriteLine(chainStatus.StatusInformation);
}
}
}
构建方法返回true,但不应该。我可以通过使用在线检查并使用openSSL来确认证书无效。
当我查询chain.ChainElements时,有些证书没有被服务器发送(这就是证书无效的原因)。我假设这些都是在其他地方提取的,但是从证书存储区(对于我的帐户和计算机帐户)中删除了它们的任何迹象,它们仍会出现。
我需要能够仅根据响应中收到的内容验证此证书。
编辑以添加其他来源的输出;
> openssl s_client -showcerts -connect www.someurl.com:443
> CONNECTED(00000003) depth=0 OU = GT99831354, OU = See
> www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated -
> RapidSSL(R), CN = www.someurl.com verify error:num=20:unable to get
> local issuer certificate verify return:1 depth=0 OU = GT99831354, OU =
> See www.rapidssl.com/resources/cps (c)15, OU = Domain Control
> Validated - RapidSSL(R), CN = www.someurl.com verify
> error:num=27:certificate not trusted
工作证书;
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
verify return:1
depth=0 CN = *.someurl.co.uk