我正在使用SslStream从 .NET Framework 连接到 Apple Push Notification Service(APN)。我正在使用Binary Provider API连接。作为初始握手的一部分,SslStream在网络流上执行AuthenticateAsClient。这是该代码:
_sslStream = new SslStream(_tcpClient.GetStream());
_sslStream.AuthenticateAsClient(_url,
new X509CertificateCollection { _certificate },
SslProtocols.Tls,
true);
其中_url是 APNs 主机名,_certificate是应用程序的推送证书。在大多数计算机上(运行Windows Server版本),这是可以接受的,并且通信可以继续。但是,在某些计算机上,这将失败。这是确切的错误:
The remote certificate is invalid according to the validation procedure.
该代码在 Local System 特权下作为 Windows服务运行。当完全相同的代码作为本地用户下的命令行应用程序运行时,握手被接受,并且通信可以继续。使用pexec -i -s在 Local System 下运行相同的命令行应用程序会导致相同的错误。我检查了本地计算机和当前用户之间的证书存储是否存在差异,但没有。
还测试了“解决方法”。在此更改后的形式中,前面显示的代码适用于完全忽略证书。这完全符合您的预期。未检查收到的证书,通讯可以继续。看起来像这样:
_sslStream = new SslStream(_tcpClient.GetStream(), false, (sender, certificate, chain, errors) => true);
_sslStream.AuthenticateAsClient(_url,
new X509CertificateCollection { _certificate },
SslProtocols.Tls,
false);
当然,禁用安全性不是一个好主意。是什么原因导致握手中断?!
答案 0 :(得分:0)
这里的挑战是找出未满足哪些要求。 您可以使用此: https://github.com/rodneyviana/blogdemos/blob/master/TestServerCertificate.zip
请参见以下示例:
c:\tools>whoami
nt authority\system
c:\tools>TestServerCertificate.exe www.microsoft.com 443
Verify Certificate Details
==========================
Writing logs to C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log
c:\tools>notepad C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log
这是上面命令的实际日志(当然没有错误):
Getting certificate from www.microsoft.com 443
TLS Protocol: Tls12
Strength 256
Certificate at www.microsoft.com
Thumbprint: 8FBE50987D59F8C023492162238250C2ED18176A
Subject: CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Friendly Name:
Issuer name: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Valid until: 1/16/2020 3:24:02 PM
Certificate is valid: True
Number of extensions: 10
Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\certificate_8FBE50987D59F8C023492162238250C2ED18176A.cer
WARNING: Certificate was not found in any location store
Chain Information
=================
Chain revocation flag: ExcludeRoot
Chain revocation mode: Online
Chain verification flag: NoFlag
Chain verification time: 8/11/2018 1:57:30 AM
Chain status length: 0
Chain application policy count: 0
Chain certificate policy count: 0
Chain Element Information
Number of chain elements: 3
Intermediate Certificate
==============================================
Element thumbprint: 8A38755D0996823FE8FA3116A277CE446EAC4E99
Element subject: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Friendly Name:
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/20/2024 7:52:38 AM
Element certificate is valid: True
Element error status length: 0
Element information:
Number of element extensions: 8
Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\Intermediate_8A38755D0996823FE8FA3116A277CE446EAC4E99.cer
Information: Certificate was found installed in store(s) - CurrentUser\CA
ROOT Certificate
==============================================
Element thumbprint: D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Element subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Friendly Name: DigiCert Baltimore Root
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/12/2025 6:59:00 PM
Element certificate is valid: True
Element error status length: 0
Element information:
Number of element extensions: 3
Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\ROOT_D4DE20D05E66FC53FE1A50882C78DB2852CAE474.cer
Information: Certificate was found installed in store(s) - CurrentUser\AuthRoot LocalMachine\AuthRoot CurrentUser\Root LocalMachine\Root
============= End of Report =============
如果在日志中仍未解决问题,请在此处发布以进行分析。