我尝试将文件上传到我的域https://vault.veodin.com/,该域位于webfaction.com
当您打开此网址时,浏览器会警告您名称不匹配,因为SSL证书是针对webfaction.com而不是针对veodin.com发出的
因此,当我尝试使用.Net WebClient将文件上传到此域时,会出现sslPolicyError System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch。
出于我的目的,足以确保上传目标托管在* .webfaction.com。
信任certificate.subject是否安全?
背景:
更新 我使用自定义CertificateValidationCallback来验证证书主题和证书颁发者是否符合我的预期。
ServicePointManager.ServerCertificateValidationCallback =
MyCertificatePolicy.CertificateValidationCallBack;
...
public class MyCertificatePolicy
{
public static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
//if there is a RemoteCertificateNameMismatch, but the Name is webfaction.com
//then we can trust the certificate despite the name error
else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch
&& certificate.Subject == "CN=*.webfaction.com, OU=WebFaction, O=Swarma Limited, L=London, S=England, C=GB"
&& certificate.Issuer == "CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US")
{
return true;
}
else
{
// In all other cases, return false.
return false;
}
}
}