.Net 编程：在 SSL 自签名证书上验证什么

发布于 2024-07-29 04:18:41 字数 239 浏览 8 评论 0原文

我无法让用户为其服务器创建真正的证书，但我想进行一些安全检查。因此，以下内容太简单了，因为在我阅读时，没有对证书进行检查。

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

您建议我让客户检查 x509 证书什么？鉴于我使用的是 .NET 语言（c#/f#）。

原文

I cannot get the users to create real certs for their servers but I'd like to do some security checks. So the following is too light because, as I read it, there is no checking on the certs.

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

What do you recommend that I have the clients check on the x509 cert? Given that I'm using a .NET language (c#/f#).

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

若无相欠,怎会相见 2024-08-05 04:18:41

如果您使用自签名证书，那么您应该预期的唯一错误是根（证书颁发者）上的链错误。我建议像这样专门捕获该链错误并让所有其他错误落空。

ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(
    ValidateRemoteCertificate
);

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors )
{
    string trustedIssuer = "CN=www.domain.com";
    string trustedDomain = "CN=www.domain.com";
    bool policyErr = false;

    switch (policyErrors)
    {
        case SslPolicyErrors.None:
            policyErr |= false;
            break;
        case SslPolicyErrors.RemoteCertificateChainErrors:
            bool chainErr = false;
            foreach (X509ChainStatus status in chain.ChainStatus)
            {
                switch (status.Status)
                {
                    case X509ChainStatusFlags.NoError:
                        chainErr |= false;
                        break;
                    case X509ChainStatusFlags.UntrustedRoot:
                        if (certificate.Subject != trustedDomain || certificate.Issuer != trustedIssuer)
                            chainErr |= true;
                        else
                            chainErr |= false;
                        break;
                    default:
                        chainErr |= true;
                        break;
                }                    
            }
            policyErr |= chainErr;
            break;
        default:
            policyErr |= true;
            break;
    }

    return !policyErr;
}

If you're using self signed certs then the only errors you should expect is a chain error on the root (Cert. Issuer). I would suggest something like this that traps for that chain error specifically and lets all other errors fall through.

ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(
    ValidateRemoteCertificate
);

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors )
{
    string trustedIssuer = "CN=www.domain.com";
    string trustedDomain = "CN=www.domain.com";
    bool policyErr = false;

    switch (policyErrors)
    {
        case SslPolicyErrors.None:
            policyErr |= false;
            break;
        case SslPolicyErrors.RemoteCertificateChainErrors:
            bool chainErr = false;
            foreach (X509ChainStatus status in chain.ChainStatus)
            {
                switch (status.Status)
                {
                    case X509ChainStatusFlags.NoError:
                        chainErr |= false;
                        break;
                    case X509ChainStatusFlags.UntrustedRoot:
                        if (certificate.Subject != trustedDomain || certificate.Issuer != trustedIssuer)
                            chainErr |= true;
                        else
                            chainErr |= false;
                        break;
                    default:
                        chainErr |= true;
                        break;
                }                    
            }
            policyErr |= chainErr;
            break;
        default:
            policyErr |= true;
            break;
    }

    return !policyErr;
}

回复收藏 0 原文

眼泪也成诗 2024-08-05 04:18:41

如果您无法让客户端创建真正的证书，您至少应该尝试让他们使用您的服务器创建证书。然后您可以检查证书是否有效或至少来自您的 CA，因为您会知道您的 CA 是否已被泄露。如果您信任任何或所有 CA，那么实际上没有什么值得检查的。

回复收藏 0 原文

遮了一弯 2024-08-05 04:18:41

如果您可以检查证书，您可以将自己的验证逻辑放入 ValidateRemoteCertificate 函数中

System.Net.ServicePointManager.ServerCertificateValidationCallback += (a, b, c, d) =>
{
     return ValidateRemoteCertificate(a, b, c, d);
};

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate,
            X509Chain chain, SslPolicyErrors policyErrors)
{
            if (certificate.Subject.Equals("CN=www.domain.com"))
                return true;
            else
               return policyErrors == SslPolicyErrors.None; 

}

if you can check certs you could put your own validation logic in the function ValidateRemoteCertificate

System.Net.ServicePointManager.ServerCertificateValidationCallback += (a, b, c, d) =>
{
     return ValidateRemoteCertificate(a, b, c, d);
};

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate,
            X509Chain chain, SslPolicyErrors policyErrors)
{
            if (certificate.Subject.Equals("CN=www.domain.com"))
                return true;
            else
               return policyErrors == SslPolicyErrors.None; 

}

回复收藏 0 原文

~没有更多了~