c#代理,为https流量生成证书?
我正在尝试使用 https 运行此代码: http ://www.codeproject.com/Articles/93301/Implementing-a-Multithreaded-HTTP-HTTPS-Debugging
它在页面底部说我需要制作一个新的带有私钥的证书,以便使用 makecert.exe 通过 https 运行它。这是作者使用的命令:
makecert.exe cert.cer -a sha1 -n "CN=matt-dot-net" -sr LocalMachine -ss My -sky 签名 -pe -len 2048
我运行了相同的命令,只是将 CN 更改为我的主机名并替换了证书。现在,当我访问 https 站点时,我在 Firefox 中收到警告(与使用 fiddler 时相同):
此连接不受信任。 我了解风险 ->添加例外
,然后我收到此错误:
该网站尝试使用无效信息来表明自己的身份。 错误站点:证书属于不同站点,这可能表明身份被盗。 证书不受信任,因为它尚未经过公认的机构验证。
然后我单击[确认安全例外],一切似乎都正常。
如何消除“站点证书错误”错误?我生成的证书不正确吗?据我在网站上的 makecert.exe 示例中的理解,不包括私钥?谢谢!
I'm trying to get this code running with https: http://www.codeproject.com/Articles/93301/Implementing-a-Multithreaded-HTTP-HTTPS-Debugging
It says on the bottom of the page that I need to make a new certificate with a private key to get this running with https using makecert.exe. This is the command author used:
makecert.exe cert.cer -a sha1 -n "CN=matt-dot-net" -sr LocalMachine -ss My -sky signature -pe -len 2048
I ran the same command, just changed CN to my hostname and replaced the certificate. Now when I access https site, I get a warning in firefox (same as when using fiddler):
This Connection is Untrusted.
I understand the risks -> add exception
and then I get this error:
The site attempts to identify itself with invalid information.
Wrong site: Certificate belongs to a different site, which could indicate an identity theft.
Certificate is not trusted, because it hasn't been verified by a recognized authority.
Then I click [Confirm Security Exception] and everything seems to work.
How do I remove the "Wrong site certificate" error? Did I generate the certificate incorrectly? as far as I understood in the makecert.exe example on the site, private key is not included? Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
首先,您可以为您的应用程序生成自签名证书(具有 CA 基本约束)(您可以让您的应用程序自动生成它),并将该证书作为受信任的 CA 导入到您的浏览器中。
然后,您可以根据请求的主机名动态生成由 CA 颁发的新证书(即使用其私钥进行签名,并使用 CA 的主题 DN 作为新证书的颁发者 DN)。此问题中有有关在 C# 中生成证书的详细信息:Is it possible to programmatically generated an X509certificate using only C#?
这证书必须遵循 HTTP over TLS 规范:
简而言之,如果请求的只是主机名,那么您应该在主题 DN 中简单地使用
CN=hostnameRDN(尽管主题替代名称会更好),但如果它是 IP地址时,您应该输入 IP addr 主题备用名称条目(尽管某些浏览器实际上会让您在 CN RDN 中使用 IP 地址)。如果您想要一个捕获 TCP 数据包的代理,而没有服务器名称指示,您实际上可能会发现很难找到所请求的实际主机名。我建议对 IP 地址进行反向 DNS 查找(您应该能够找到),并为每个反向 DNS 条目添加一个 DNS 主题替代名称条目,并为该 IP 地址添加一个 IP 主题替代名称条目。这应该涵盖大多数情况,但客户端使用 IP 地址没有反向 DNS 条目的主机名的情况除外。如果失败,您只需在浏览器中手动添加异常(这很好,因为您知道您正在拦截自己的通信)或在代理中手动设置它。
使用浏览器中配置的 HTTP 代理查找主机名会更容易,因为您不需要猜测主机名,它将被传递给
CONNECTHTTP 谓词。(当然,首先,对于特定主机,您可以使用
makecert生成证书,而不是即时生成。)Firstly, you could generate self-signed certificate (with CA basic constraints) for your application (you could have your application generate it automatically) and import that certificate into your browser as a trusted CA.
Then, you could generate a new certificate on the fly depending on the requested host name, issued by your CA (i.e. signed using its private key and with the CA's Subject DN as the new certificate's Issuer DN). There are details about generating certificates in C# in this question: Is it possible to programmatically generate an X509 certificate using only C#?
This certificate must follow the specifications of the HTTP over TLS specification:
In short, if what's requested is just a host name, you should be fine with simply a
CN=hostnameRDN in the Subject DN (although a Subject Alt Name would be better), but if it's an IP address, you should put an IP addr Subject Alternative Name entry (although some browsers will let you get away with the IP address in the CN RDN in practice).If you want a proxy that captures the TCP packets, without server name indication, you may actually find it very hard to find which actual host name is requested. I would suggest doing a reverse DNS lookup for the IP address (which you should be able to find) and putting a DNS Subject Alt Name entry for each reverse DNS entry, as well as an IP Subject Alt Name entry for the IP address. This should cover most cases, except those where the client uses a host name for which the IP address doesn't have a reverse DNS entry. Failing that, you'll just have to add the exception by hand in your browser (which is fine since you'll know that you're intercepting your own communication) or set it up by hand within your proxy.
Finding the host name is easier with an HTTP proxy configured in the browser, since you don't need to guess the host name, it will be passed to the
CONNECTHTTP verb.(Of course, to begin with, for a specific host, you can generate the certificate with
makecertrather than doing it on the fly.)我假设您的自签名证书是用于该网站的证书,并且由于它是自签名证书,因此不受信任,您需要从 VeriSign 等购买一个证书才能使该消息消失。
I would assume your self-signed certificate is the one being used for the site and because its a self signed certificate it isnt trusted, you would need to purchase one from VeriSign or the like to have the message go away.
使证书名称与您的主机名相同,即 stackoverflow.com 的“stackoverflow”。
Make the certificate name the same as your host name, i.e. "stackoverflow" for stackoverflow.com.