在 HTTPS 请求期间验证远程 SSL 证书
当向远程 Web 服务器发出 HTTPS 请求时,我使用 WebRequest,它与远程 Web 服务器建立安全连接。在开发过程中,我在服务器上使用自签名证书,并且 WebRequest 无法建立安全连接,因为证书无效,这是预期的行为。
我发现此代码“远程”证书检查,通过调用以下代码中的 SetCertificatePolicy() 方法激活。
public static void SetCertificatePolicy()
{
ServicePointManager.ServerCertificateValidationCallback
+= RemoteCertificateValidate;
}
/// <summary>
/// Remotes the certificate validate.
/// </summary>
private static bool RemoteCertificateValidate(
object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors error)
{
// trust any certificate!!!
System.Console.WriteLine("Warning, trust any certificate");
return true;
}
我想知道是否可以对远程 SSL 证书进行特殊检查(例如,使用上面的代码),以便我可以验证远程 Web 服务器是否使用有效的 SSL 证书,而不仅仅是任何有效的证书,而是确切的证书我想?例如,我想确保我正在与 www.someplace.com 网站交谈,证书颁发给 ACME Inc,指纹为 00:11:22:.....
对此的“最佳实践”方法是什么设想?
谢谢!
When making HTTPS request to remote web server, I use WebRequest, which establishes secure connection with remote web server. During development, I use self-signed cert on server, and WebRequest fails to establish secure connection, since cert is not valid, which is expected behavior.
I have found this code that "remotes" cert check, activated by calling SetCertificatePolicy() method in following code.
public static void SetCertificatePolicy()
{
ServicePointManager.ServerCertificateValidationCallback
+= RemoteCertificateValidate;
}
/// <summary>
/// Remotes the certificate validate.
/// </summary>
private static bool RemoteCertificateValidate(
object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors error)
{
// trust any certificate!!!
System.Console.WriteLine("Warning, trust any certificate");
return true;
}
I am wondering, if it is possible to do special checks on remote SSL cert (using above code, for instance), so that I can verify that remote web server uses valid SSL cert, and not just any valid cert, but exactly the one I want? For instance, I want to make sure that I'm talking to www.someplace.com website, cert issued to ACME Inc, with fingerprint 00:11:22:.....
What is a "best practice" approach for this scenario?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您确实想将其确定为一个特定证书,则可以将证书数据(DER 格式)与
certificate.GetRawCertData()中的byte[]进行比较。您还可以在
RemoteCertificateValidate中的certificate参数上使用GetCertHashString()和Subject来获取您要获取的信息。后。主机名应位于证书的使用者备用名称中,或者如果没有使用者备用名称,则应位于使用者(可分辨)名称的 CN 中。考虑到 .NET 格式化主题字符串的方式,这应该是您在那里找到的第一个 CN=。如果
certificate是X509Certificate2的实例,您还将获得更多数据。然后,您将能够获取SubjectName作为X500PrincipalName以及Extensions(以检查主题备用名称扩展)。使用 BouncyCastle 等工具来解析主题名称可能会很有用。您还可能会获得有关您尝试在
发送方中联系的主机名的更多信息,具体取决于其运行时类型。If you really want to nail it down to one particular certificate, you can compare the certificate data (in DER format) to the
byte[]incertificate.GetRawCertData().You can also use
GetCertHashString()andSubjecton thecertificateparameter inRemoteCertificateValidateto get the information you're after. The hostname ought to be in the subject alternative name of the certificate or, if there isn't a subject alternative name, in the CN of the subject (distinguished) name. Considering the way .NET formats the subject string, this ought to be the first CN= you find there.You'll also get more data if
certificateis an instance ofX509Certificate2. You'll then be able to getSubjectNameas anX500PrincipalNameand also theExtensions(to check the subject alternative name extension). It might be useful to use tools such as BouncyCastle for parsing the subject name.You're also likely to get more information about the hostname you're trying to contact in the
sender, depending on its runtime type.