问题描述
我正在尝试连接到使用自签名 SSL 证书的 API.我这样做是使用 .NET 的 HttpWebRequest 和 HttpWebResponse 对象.我得到了一个例外:
I'm trying to connect to an API that uses a self-signed SSL certificate. I'm doing so using .NET's HttpWebRequest and HttpWebResponse objects. And I'm getting an exception that:
底层连接已关闭:无法为 SSL/TLS 安全通道建立信任关系.
我明白这意味着什么.而且我理解为什么 .NET 认为它应该警告我并关闭连接.但在这种情况下,我无论如何都想连接到 API,该死的中间人攻击.
I understand what this means. And I understand why .NET feels it should warn me and close the connection. But in this case, I'd like to just connect to the API anyway, man-in-the-middle attacks be damned.
那么,我该如何为这个自签名证书添加一个例外呢?或者是告诉 HttpWebRequest/Response 根本不验证证书的方法?我该怎么做?
So, how do I go about adding an exception for this self-signed certificate? Or is the approach to tell HttpWebRequest/Response not to validate the certificate at all? How would I do that?
推荐答案
@Domster:可行,但您可能希望通过检查证书哈希是否符合您的预期来加强安全性.所以扩展版本看起来有点像这样(基于我们正在使用的一些实时代码):
@Domster: that works, but you might want to enforce a bit of security by checking if the certificate hash matches what you expect. So an expanded version looks a bit like this (based on some live code we're using):
static readonly byte[] apiCertHash = { 0xZZ, 0xYY, ....};
/// <summary>
/// Somewhere in your application's startup/init sequence...
/// </summary>
void InitPhase()
{
// Override automatic validation of SSL server certificates.
ServicePointManager.ServerCertificateValidationCallback =
ValidateServerCertficate;
}
/// <summary>
/// Validates the SSL server certificate.
/// </summary>
/// <param name="sender">An object that contains state information for this
/// validation.</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the
/// remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote
/// certificate.</param>
/// <returns>Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.</returns>
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
log.DebugFormat("SSL certificate error: {0}", sslPolicyErrors);
bool certMatch = false; // Assume failure
byte[] certHash = cert.GetCertHash();
if (certHash.Length == apiCertHash.Length)
{
certMatch = true; // Now assume success.
for (int idx = 0; idx < certHash.Length; idx++)
{
if (certHash[idx] != apiCertHash[idx])
{
certMatch = false; // No match
break;
}
}
}
// Return true => allow unauthenticated server,
// false => disallow unauthenticated server.
return certMatch;
}
这篇关于在 .NET 的 HttpWebRequest/Response 中使用自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!