我正在尝试连接到使用自签名SSL证书的API。我这样做是使用.NET的HttpWebRequest和HttpWebResponse对象。我得到一个例外:
基础连接已关闭:无法为SSL / TLS安全通道建立信任关系。
我明白这意味着什么。我理解为什么 .NET认为它应该警告我并关闭连接。但在这种情况下,我还是想连接到API,无论如何都会受到中间人攻击。
那么,我该如何为这个自签名证书添加例外呢?或者是告诉HttpWebRequest / Response不要验证证书的方法?我该怎么做?
答案 0 :(得分:87)
事实证明,如果您只想完全禁用证书验证,可以更改ServicePointManager上的ServerCertificateValidationCallback,如下所示:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
这将验证所有证书(包括无效,过期或自签名证书)。
答案 1 :(得分:74)
@Domster:这有效,但您可能希望通过检查证书哈希是否符合您的预期来强制执行一些安全性。因此,扩展版本看起来有点像这样(基于我们正在使用的一些实时代码):
static readonly byte[] apiCertHash = { 0xZZ, 0xYY, ....};
/// <summary>
/// Somewhere in your application's startup/init sequence...
/// </summary>
void InitPhase()
{
// Override automatic validation of SSL server certificates.
ServicePointManager.ServerCertificateValidationCallback =
ValidateServerCertficate;
}
/// <summary>
/// Validates the SSL server certificate.
/// </summary>
/// <param name="sender">An object that contains state information for this
/// validation.</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the
/// remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote
/// certificate.</param>
/// <returns>Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.</returns>
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
log.DebugFormat("SSL certificate error: {0}", sslPolicyErrors);
bool certMatch = false; // Assume failure
byte[] certHash = cert.GetCertHash();
if (certHash.Length == apiCertHash.Length)
{
certMatch = true; // Now assume success.
for (int idx = 0; idx < certHash.Length; idx++)
{
if (certHash[idx] != apiCertHash[idx])
{
certMatch = false; // No match
break;
}
}
}
// Return true => allow unauthenticated server,
// false => disallow unauthenticated server.
return certMatch;
}
答案 2 :(得分:43)
请注意,在.NET 4.5中,您可以根据HttpWebRequest本身覆盖SSL验证(而不是通过影响所有请求的全局委托):
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
request.ServerCertificateValidationCallback = delegate { return true; };
答案 3 :(得分:42)
答案 4 :(得分:33)
Domster's answer中使用的验证回调的范围可以限制为使用ServerCertificateValidationCallback委托上的sender参数的特定请求。以下简单范围类使用此技术临时连接仅针对给定请求对象执行的验证回调。
public class ServerCertificateValidationScope : IDisposable
{
private readonly RemoteCertificateValidationCallback _callback;
public ServerCertificateValidationScope(object request,
RemoteCertificateValidationCallback callback)
{
var previous = ServicePointManager.ServerCertificateValidationCallback;
_callback = (sender, certificate, chain, errors) =>
{
if (sender == request)
{
return callback(sender, certificate, chain, errors);
}
if (previous != null)
{
return previous(sender, certificate, chain, errors);
}
return errors == SslPolicyErrors.None;
};
ServicePointManager.ServerCertificateValidationCallback += _callback;
}
public void Dispose()
{
ServicePointManager.ServerCertificateValidationCallback -= _callback;
}
}
上述类可用于忽略特定请求的所有证书错误,如下所示:
var request = WebRequest.Create(uri);
using (new ServerCertificateValidationScope(request, delegate { return true; }))
{
request.GetResponse();
}
答案 5 :(得分:3)
要向其他人添加可能的帮助...如果您希望它提示用户安装自签名证书,您可以使用此代码(从上面修改)。
不需要管理员权限,安装到本地用户可信任的配置文件:
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
Common.Helpers.Logger.Log.Error(string.Format("SSL certificate error: {0}", sslPolicyErrors));
try
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadWrite);
store.Add(new X509Certificate2(cert));
store.Close();
}
return true;
}
catch (Exception ex)
{
Common.Helpers.Logger.Log.Error(string.Format("SSL certificate add Error: {0}", ex.Message));
}
return false;
}
这似乎适用于我们的应用程序,如果用户按否,则通信将无法正常工作。
更新:2015-12-11 - 将StoreName.Root更改为StoreName.My - 我将安装到本地用户存储中,而不是Root。即使您“以管理员身份运行”
,某些系统上的root也无法正常工作答案 6 :(得分:2)
建立在devstuff的回答基础上,包括主题和发行人......欢迎评论......
public class SelfSignedCertificateValidator
{
private class CertificateAttributes
{
public string Subject { get; private set; }
public string Issuer { get; private set; }
public string Thumbprint { get; private set; }
public CertificateAttributes(string subject, string issuer, string thumbprint)
{
Subject = subject;
Issuer = issuer;
Thumbprint = thumbprint.Trim(
new char[] { '\u200e', '\u200f' } // strip any lrt and rlt markers from copy/paste
);
}
public bool IsMatch(X509Certificate cert)
{
bool subjectMatches = Subject.Replace(" ", "").Equals(cert.Subject.Replace(" ", ""), StringComparison.InvariantCulture);
bool issuerMatches = Issuer.Replace(" ", "").Equals(cert.Issuer.Replace(" ", ""), StringComparison.InvariantCulture);
bool thumbprintMatches = Thumbprint == String.Join(" ", cert.GetCertHash().Select(h => h.ToString("x2")));
return subjectMatches && issuerMatches && thumbprintMatches;
}
}
private readonly List<CertificateAttributes> __knownSelfSignedCertificates = new List<CertificateAttributes> {
new CertificateAttributes( // can paste values from "view cert" dialog
"CN = subject.company.int",
"CN = issuer.company.int",
"f6 23 16 3d 5a d8 e5 1e 13 58 85 0a 34 9f d6 d3 c8 23 a8 f4")
};
private static bool __createdSingleton = false;
public SelfSignedCertificateValidator()
{
lock (this)
{
if (__createdSingleton)
throw new Exception("Only a single instance can be instanciated.");
// Hook in validation of SSL server certificates.
ServicePointManager.ServerCertificateValidationCallback += ValidateServerCertficate;
__createdSingleton = true;
}
}
/// <summary>
/// Validates the SSL server certificate.
/// </summary>
/// <param name="sender">An object that contains state information for this
/// validation.</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the
/// remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote
/// certificate.</param>
/// <returns>Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.</returns>
private bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true; // Good certificate.
Dbg.WriteLine("SSL certificate error: {0}", sslPolicyErrors);
return __knownSelfSignedCertificates.Any(c => c.IsMatch(cert));
}
}
答案 7 :(得分:1)
要记住的一件事是,拥有ServicePointManager.ServerCertificateValidationCallback似乎并不意味着CRL检查和服务器名称验证没有完成,它只提供覆盖其结果的方法。因此,您的服务可能仍需要一段时间才能获得CRL,之后您才会知道它未通过某些检查。
答案 8 :(得分:1)
我遇到了与OP相同的问题,Web请求会抛出那个确切的异常。我已经正确设置了所有设置,证书已安装,我可以在机器商店中找到它并将其附加到Web请求中,并且我已禁用了请求上下文中的证书验证。
事实证明我在我的用户帐户下运行,并且证书已安装到机器商店。这导致Web请求抛出此异常。要解决这个问题,我必须以管理员身份运行,或者将证书安装到用户存储区并从那里读取。
似乎C#能够在机器商店中找到证书,即使它不能与Web请求一起使用,并且这会导致在Web上抛出OP的异常请求已发出。
答案 9 :(得分:1)
首先-我很抱歉,因为我使用了@devstuff描述的解决方案。但是,我发现了一些改进方法。
这是我的修改内容
private static X509Certificate2 caCertificate2 = null;
/// <summary>
/// Validates the SSL server certificate.
/// </summary>
/// <param name="sender">An object that contains state information for this validation.</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>Returns a boolean value that determines whether the specified certificate is accepted for authentication; true to accept or false to reject.</returns>
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
// If the following line is not added, then for the self-signed cert an error will be (not tested with let's encrypt!):
// "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (UntrustedRoot)"
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
// convert old-style cert to new-style cert
var returnedServerCert2 = new X509Certificate2(cert);
// This part is very important. Adding known root here. It doesn't have to be in the computer store at all. Neither do certificates.
chain.ChainPolicy.ExtraStore.Add(caCertificate2);
// 1. Checks if ff the certs are OK (not expired/revoked/etc)
// 2. X509VerificationFlags.AllowUnknownCertificateAuthority will make sure that untrusted certs are OK
// 3. IMPORTANT: here, if the chain contains the wrong CA - the validation will fail, as the chain is wrong!
bool isChainValid = chain.Build(returnedServerCert2);
if (!isChainValid)
{
string[] errors = chain.ChainStatus
.Select(x => String.Format("{0} ({1})", x.StatusInformation.Trim(), x.Status))
.ToArray();
string certificateErrorsString = "Unknown errors.";
if (errors != null && errors.Length > 0)
{
certificateErrorsString = String.Join(", ", errors);
}
Log.Error("Trust chain did not complete to the known authority anchor. Errors: " + certificateErrorsString);
return false;
}
// This piece makes sure it actually matches your known root
bool isValid = chain.ChainElements
.Cast<X509ChainElement>()
.Any(x => x.Certificate.RawData.SequenceEqual(caCertificate2.GetRawCertData()));
if (!isValid)
{
Log.Error("Trust chain did not complete to the known authority anchor. Thumbprints did not match.");
}
return isValid;
}
设置证书:
caCertificate2 = new X509Certificate2("auth/ca.crt", "");
var clientCertificate2 = new X509Certificate2("auth/client.pfx", "");
传递委托方法
ServerCertificateValidationCallback(ValidateServerCertficate)
client.pfx是使用KEY和CERT生成的,例如:
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx