我的自定义 SSL 验证逻辑处理异常 RemoteCertificateNameMismatch 的安全性如何?
我尝试将文件上传到我的域 https://vault.veodin.com/(托管在 webfaction 上) .com
当您打开此 url 时,浏览器会警告您名称不匹配,因为 SSL 证书是为 webfaction.com 而不是为 veodin.com 颁发的,
因此会出现 sslPolicyError当我尝试使用 .Net WebClient 将文件上传到此域时,会发生 System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch。
就我的目的而言,确保上传目标托管在 *.webfaction.com 就足够了。
信任该证书主题是否安全?
背景:
更新: 我使用了自定义的CertificateValidationCallback来验证证书主题和证书颁发者是否完全符合我的预期。
ServicePointManager.ServerCertificateValidationCallback =
MyCertificatePolicy.CertificateValidationCallBack;
...
public class MyCertificatePolicy
{
public static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
//if there is a RemoteCertificateNameMismatch, but the Name is webfaction.com
//then we can trust the certificate despite the name error
else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch
&& certificate.Subject == "CN=*.webfaction.com, OU=WebFaction, O=Swarma Limited, L=London, S=England, C=GB"
&& certificate.Issuer == "CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US")
{
return true;
}
else
{
// In all other cases, return false.
return false;
}
}
}
I try to upload a file to my domain https://vault.veodin.com/ which is hosted at webfaction.com
When you open this url, the browser warns you about the name mismatch, because the SSL certificate is issued for webfaction.com and not for veodin.com
Accordingly a sslPolicyError System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch occurs when I try to upload a file to this domain using .Net WebClient.
For my purpose it's enough to be sure that the upload target is hosted at *.webfaction.com.
Is it safe to trust the certificate.subject for that?
Background:
Update:
I've used a custom CertificateValidationCallback to verify the certificate subject and the certificate issuer to be exactly what I expect.
ServicePointManager.ServerCertificateValidationCallback =
MyCertificatePolicy.CertificateValidationCallBack;
...
public class MyCertificatePolicy
{
public static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
//if there is a RemoteCertificateNameMismatch, but the Name is webfaction.com
//then we can trust the certificate despite the name error
else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch
&& certificate.Subject == "CN=*.webfaction.com, OU=WebFaction, O=Swarma Limited, L=London, S=England, C=GB"
&& certificate.Issuer == "CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US")
{
return true;
}
else
{
// In all other cases, return false.
return false;
}
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论