如何在 .NET SslStream 中为客户端身份验证指定接受的证书
我正在尝试使用 .Net System.Security.SslStream 类来处理具有客户端身份验证的 SSL/TLS 流的服务器端。
为了执行握手,我使用以下代码:
SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback);
sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);
不幸的是,这会导致 SslStream 传输包含我的 CryptoAPI 受信任根存储中所有证书的主题名的 CertificateRequest。
我希望能够覆盖这个。 对于我来说,要求用户从受信任的根存储中安装或删除证书不是一个选择。
看起来 SslStream 在底层使用了 SSPI/SecureChannel,所以如果有人知道如何使用该 API 执行相同的操作,那也会很有帮助。
有任何想法吗?
I am attempting to use the .Net System.Security.SslStream class to process the server side of a SSL/TLS stream with client authentication.
To perform the handshake, I am using this code:
SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback);
sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);
Unfortunately, this results in the SslStream transmitting a CertificateRequest containing the subjectnames of all certificates in my CryptoAPI Trusted Root Store.
I would like to be able to override this. It is not an option for me to require the user to install or remove certificates from the Trusted Root Store.
It looks like the SslStream uses SSPI/SecureChannel underneath, so if anyone knows how to do the equivalent with that API, that would be helpful, too.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
目前看来使用 .NET 库不可能做到这一点。
我通过使用 System.Security.SslStream 的 Mono 类库实现解决了这个问题,它可以更好地访问在握手期间覆盖服务器的行为。
It does not look like this is currently possible using the .NET libraries.
I solved it by using the Mono class library implementation of System.Security.SslStream, which gives better access to overriding the servers behavior during the handshake.
证书验证所做的是验证链中的所有证书。 为了真正做到这一点,它只需联系每个证书的根存储。
如果这不是您想要发生的事情,您可以在本地部署您自己的根存储。
What the certificate validation is doing is validating all certificates in the chain. In order to truely do that it just contact the root store of each of those cerficates.
If that's not something you want to happen you can deploy your own root store locally.
这不是我想改变的验证部分。 问题是在初始握手中,服务器发送消息通知客户端需要进行客户端身份验证(即CertificateRequest 消息)。 作为此消息的一部分,服务器发送它将接受作为客户端证书颁发者的 CA 的名称。 默认情况下,该列表包含存储中的所有受信任根。
但是,如果可以覆盖单个应用程序的证书根存储,则可能会解决问题。 你是这个意思吗? 如果是这样,我该怎么做?
It is not the validation part I want to change. The problem is in the initial handshake, the server transmits the message informing the client that client authentication is required (that is the CertificateRequest message). As part of this message, the server sends the names of CAs that it will accept as issuers of the client certificate. It is that list which per default contains all the Trusted Roots in the store.
But if is possible to override the certificate root store for a single application, that would probably fix the problem. Is that what you mean? And if so, how do I do that?