以下代码能够使用TLS连接到FTP服务器:
private FtpClient getFtpsClient(System.Uri uri) {
if (uri.Scheme != "ftps") {
throw new NotImplementedException("Only ftps is implementent");
}
var userInfo = uri.UserInfo.Split(":");
FtpClient client = new FtpClient(uri.Host, userInfo[0], userInfo[1]);
client.EncryptionMode = FtpEncryptionMode.Explicit;
client.SslProtocols = SslProtocols.Tls;
client.ValidateCertificate += new FtpSslValidation(OnValidateCertificate);
client.Connect();
void OnValidateCertificate(FtpClient control, FtpSslValidationEventArgs e) {
var cert2 = new X509Certificate2(e.Certificate);
e.Accept = cert2.Verify();
}
return client;
}
我想知道X509Certificate2.Verify()方法是否足以防止安全问题。
X509Certificate2.Verify()到底是做什么的?所引用的文档缺少信息。
它会在man-in-the-middle attack上失败吗?
答案 0 :(得分:0)
documentation已于3个月前更新,现在可以回答问题了。
方法1:如果SSL证书没有错误,则进行连接。
client.ValidateCertificate += new FtpSslValidation(delegate (FtpClient c, FtpSslValidationEventArgs e) {
if (e.PolicyErrors != System.Net.Security.SslPolicyErrors.None){
e.Accept = false;
}else{
e.Accept = true;
}
});
方法2:如果证书与列入白名单的证书匹配,则进行连接。
首先,您必须发现有效证书的字符串。使用以下代码将有效的证书字符串保存到文件中:
client.ValidateCertificate += new FtpSslValidation(delegate (FtpClient c, FtpSslValidationEventArgs e) {
File.WriteAllText(@"C:\cert.txt", e.Certificate.GetRawCertDataString());
});
然后最后使用此代码检查收到的证书是否与您信任的证书匹配:
string ValidCert = "<insert contents of cert.txt>";
client.ValidateCertificate += new FtpSslValidation(delegate (FtpClient c, FtpSslValidationEventArgs e) {
if (e.PolicyErrors == SslPolicyErrors.None || e.Certificate.GetRawCertDataString() == ValidCert) {
e.Accept = true;
}else{
throw new Exception("Invalid certificate : " + e.PolicyErrors);
}
});