LAN环境的SSL证书
我制作了一个 Silverlight 3.0 应用程序,它通过 https 与 xml rpc 服务器进行通信。整个应用程序将在 LAN 环境中运行,其中服务器可以安装在不同的计算机上,客户端将安装在同一台计算机上。我正在使用根据服务器 IP 生成的自签名证书,我需要在客户端计算机上放入受信任的根证书颁发机构。但是如果我想与第二台服务器进行通信,则需要在客户端计算机上针对该特定服务器的 IP 安装另一个证书,简而言之,如果我想与 n 个不同的服务器进行通信,我需要在客户端上安装 n 个证书,这对我来说是不可能的,我怎样才能通过 LAN 环境使用单个证书来做到这一点。证书是根据服务器的IP或主机名生成的,有什么办法可以绕过SSL证书的验证吗?类似
ServicePointManager.ServerCertificateValidationCallback = MyCertHandler;
static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error)
{
// Ignore errors
return true;
}
,但是上面的代码不能在Silverlight中使用?有什么帮助吗?
I have made a Silverlight 3.0 application, which communicates with an xml rpc server over https. The whole application will run in a LAN enviornment where server can be installed on different machines and client will on on same machine. I am using Self signed certificate which is generated against ip of server and I need to put in Trusted Root Certification Authorties on client machine. but if I want to communicate a second server then another certificate need to be installed on client machine against ip of that specific server, In short I need to install n certificates on client if I want to communicate n different servers, which is impossible for me, how can I do it with a single certificate over LAN enviornment. Certificates are generated against the ip or host name of server, is there any way to by pass the validation of SSL certificate? like
ServicePointManager.ServerCertificateValidationCallback = MyCertHandler;
static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error)
{
// Ignore errors
return true;
}
but the above code can't be used in Silverlight? any help?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不要使用自签名证书,如果您可以忽略身份验证,那么就没有充分的理由使用 ssl。
为了避免自签名证书:
设置个人 CA(使用 Microsoft 的 CA 非常容易)。然后从您自己的 CA 颁发服务器证书,并将 CA 的证书作为受信任的根提供给每个服务器。然后您最终会得到如下设置:
证书链:
部署:
然后,连接到这些服务器中的任何一个的客户端都可以将通用名称与其连接的地址进行匹配,将有效日期范围与其当前时间进行匹配,并为每个服务器构建一个验证“CA Cert A”的链。
(这是一个用于设置您自己的 CA 服务器的随机起始链接。)
链接文本
如果您尝试使用自签名,您最终将得到
证书链:
证书部署
Dont use a Self Signed Certificate, and if you can to ignore authentication, then there is no good reason to use ssl.
For avoiding Self Signed Certs:
Set up a personal CA (extremely easy to do with Microsoft's CA). Then issue the server certificates from your own CA and give the CA's certificate to each of the servers as the trusted root. Then you end up with a setup like:
Cert Chains:
Deployment:
Then a client connecting into any of these servers can match the common name against the address it connected to, the valid date range against its own now time, and build a chain for validation to "CA Cert A" for every server.
(here is a random starting link for setting up your own CA server.)
link text
If you try to use Selfsigned you will endup with
Cert Chains:
Cert Deployment