如何在 .NET SslStream 中为客户端身份验证指定接受的证书

发布于 2024-07-05 03:42:43 字数 577 浏览 11 评论 0原文

我正在尝试使用 .Net System.Security.SslStream 类来处理具有客户端身份验证的 SSL/TLS 流的服务器端。

为了执行握手,我使用以下代码:

SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback);
sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);

不幸的是,这会导致 SslStream 传输包含我的 CryptoAPI 受信任根存储中所有证书的主题名的 CertificateRequest。

我希望能够覆盖这个。 对于我来说,要求用户从受信任的根存储中安装或删除证书不是一个选择。

看起来 SslStream 在底层使用了 SSPI/SecureChannel,所以如果有人知道如何使用该 API 执行相同的操作,那也会很有帮助。

有任何想法吗?

I am attempting to use the .Net System.Security.SslStream class to process the server side of a SSL/TLS stream with client authentication.

To perform the handshake, I am using this code:

SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback);
sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);

Unfortunately, this results in the SslStream transmitting a CertificateRequest containing the subjectnames of all certificates in my CryptoAPI Trusted Root Store.

I would like to be able to override this. It is not an option for me to require the user to install or remove certificates from the Trusted Root Store.

It looks like the SslStream uses SSPI/SecureChannel underneath, so if anyone knows how to do the equivalent with that API, that would be helpful, too.

Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

雪化雨蝶 2024-07-12 03:42:43

目前看来使用 .NET 库不可能做到这一点。

我通过使用 System.Security.SslStream 的 Mono 类库实现解决了这个问题,它可以更好地访问在握手期间覆盖服务器的行为。

It does not look like this is currently possible using the .NET libraries.

I solved it by using the Mono class library implementation of System.Security.SslStream, which gives better access to overriding the servers behavior during the handshake.

痕至 2024-07-12 03:42:43

证书验证所做的是验证链中的所有证书。 为了真正做到这一点,它只需联系每个证书的根存储。

如果这不是您想要发生的事情,您可以在本地部署您自己的根存储。

What the certificate validation is doing is validating all certificates in the chain. In order to truely do that it just contact the root store of each of those cerficates.

If that's not something you want to happen you can deploy your own root store locally.

口干舌燥 2024-07-12 03:42:43

这不是我想改变的验证部分。 问题是在初始握手中,服务器发送消息通知客户端需要进行客户端身份验证(即CertificateRequest 消息)。 作为此消息的一部分,服务器发送它将接受作为客户端证书颁发者的 CA 的名称。 默认情况下,该列表包含存储中的所有受信任根。

但是,如果可以覆盖单个应用程序的证书根存储,则可能会解决问题。 你是这个意思吗? 如果是这样,我该怎么做?

It is not the validation part I want to change. The problem is in the initial handshake, the server transmits the message informing the client that client authentication is required (that is the CertificateRequest message). As part of this message, the server sends the names of CAs that it will accept as issuers of the client certificate. It is that list which per default contains all the Trusted Roots in the store.

But if is possible to override the certificate root store for a single application, that would probably fix the problem. Is that what you mean? And if so, how do I do that?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文