sslStream.AuthenticateAsServer忽略RemoteCertificateValidationCallback
[英]sslStream.AuthenticateAsServer ignores RemoteCertificateValidationCallback
问题描述
I'm trying to fix an existing .Net 2.0 service/application. 
我正在尝试修复现有的.Net 2.0服务/应用程序。
It's a TCP server that accepts SSL/TLS connections. 这是一个接受SSL / TLS连接的TCP服务器。 Operates over port 443, as expected. 如预期的那样,通过端口443操作。 It is used to respond to Yealink provisioning requests. 它用于响应Yealink设置请求。 You can pop the url in the phone, and it will get the settings etc (anyway not important.) 您可以在手机中弹出该网址,它将获得设置等信息(无论如何都不重要)。
The problem is that when older phones request this service it works fine, but now, since the new versions of the phones, it does not work. 问题是,当较旧的电话请求此服务时,它可以正常工作,但是现在,由于电话的新版本,它无法工作。
This is the code that fials: 这是最终的代码:
using (SslStream sslStream = new SslStream(tcpClient.GetStream(), false, new RemoteCertificateValidationCallback(AcceptAllCertifications)))
{
X509Certificate c = new X509Certificate2("cert.pfx", "XXXX");
sslStream.AuthenticateAsServer(c, false, SslProtocols.Tls, false);
// Process request etc
}
and this is the "AcceptAllCertifications" 这是“ AcceptAllCertifications”
private bool AcceptAllCertifications(object sender, X509Certificate certification, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
New phones cause the app to produce an error on sslStream.AuthenticateAsServer(...); 新手机导致该应用在sslStream.AuthenticateAsServer(...)上产生错误。
System.componentmodel.win32exception: the certificate chain was issued by an authority that is not trusted.
Is, "the certificate" they mention here my certificate (one on server) or their certificate (one sent from phone)? 他们在这里提到的“证书”是我的证书(服务器上的一个证书)还是他们的证书(通过电话发送的证书)?
I have no idea (and will never have any idea) about the kind of certificate sent by the users phone. 我不知道(也永远不会知道)用户电话发送的证书的种类。
The certificate "cert.pfx" (my certificate) was bought from DigiCert, (its a wildcard certificate). 证书“ cert.pfx”(我的证书)是从DigiCert(其通配符证书)购买的。 It was exported with a password, and oh yea, did i mention this works absolutely fine with all regular browsers and older phones... just not the Yealink's new phones. 它是用密码导出的,哦,是的,我是否提到此功能在所有常规浏览器和旧手机上都可以正常使用...而不是在Yealink的新手机上。
How do i just skip the entire authentication thing, i just want it to work, its not a public system? 我如何跳过整个身份验证,只是希望它能正常工作,而不是公共系统? With the new phones the "RemoteCertificateValidationCallback(AcceptAllCertifications)" is never called, i have followed this with the debugger, its skipped out completely. 对于新手机,永远不会调用“ RemoteCertificateValidationCallback(AcceptAllCertifications)”,我已经在调试器中进行了跟踪,它被完全跳过了。
Edit: 编辑:
1 个解决方案
解决方案1
0 2015-09-05 11:26:22
I just read up on intermediate certificates (my memory failed during an earlier comment above) and I think I know what the problem is: Your phone already trusts the DigiCert root certificate at the top of the trust chain but neither your server nor your phone know anything about the intermediate cert, which the cert utility shows. 我只是阅读了中间证书(在上面的早期评论中我的内存失败),并且我认为我知道问题出在哪里:您的电话已经信任信任链顶部的DigiCert根证书,但是您的服务器和电话都不知道证书实用程序显示的有关中间证书的任何内容。 You need to install the public key of the intermediate certificate on your server, too, in addition to the server certificate for which you have the private key. 除了具有私钥的服务器证书之外,您还需要在服务器上安装中间证书的公钥。 Here is a helpful link that explains the function of intermediate certs in more detail: SSL Installing Intermediate Certificates 这是一个有用的链接,它更详细地解释了中间证书的功能: SSL安装中间证书
I quote: 我引用:
The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.
The page also contains instructions on how to test whether the necessary intermediate certs are correctly installed on your web server. 该页面还包含有关如何测试Web服务器上是否正确安装了必要的中间证书的说明。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.