[英]SSLStream set trusted certificate authorities on server authentication
I am trying to authenticate clients where there is an exchange of certificates. 我正在尝试对有证书交换的客户进行身份验证。 The issue that I am having is that the openssl client rejects the connection attempt because no certificate authorities are included in the authentication handshake.
我遇到的问题是,openssl客户端拒绝连接尝试,因为身份验证握手中没有证书颁发机构。
This seems to work fine for an instance running on Windows Server 2008 R2 but in both of my dev environments (Windows 10 and Windows 7) it fails. 对于在Windows Server 2008 R2上运行的实例,这似乎工作正常,但在我的两个开发环境(Windows 10和Windows 7)中,它均失败。 I'm have looked at and tried to change a few windows settings (mostly Local Group Policy) that might be inhibiting the addition of the certificate authorities but can't get it working correctly.
我已经查看并尝试更改一些Windows设置(主要是本地组策略),这些设置可能会禁止添加证书颁发机构,但无法使其正常工作。
Is that the function of string array acceptableIssuers field of the LocalCertificateSelectionCallback? 那是LocalCertificateSelectionCallback的字符串数组的函数acceptIssuers字段吗?
I also found another stackoverflow php solution that is related but don't know how to apply it to the sslstream class. 我还找到了另一个相关的stackoverflow php解决方案 ,但不知道如何将其应用于sslstream类。
My code looks like this 我的代码看起来像这样
var _nwStream = new SslStream(client.GetStream(), true,
(sender, certificate, chain, sslPolicyErrors) =>
{
bool policyErrs = (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateChainErrors | SslPolicyErrors.RemoteCertificateNotAvailable)) != 0;
if (policyErrs)
{
string message = string.Format("Remote Certificate failed for client: {0}, SSL policy errors {1}", client.Client.RemoteEndPoint, sslPolicyErrors);
return !policyErrs;
},
(sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
{
acceptableIssuers = new string[] { _cert.Issuer };
return _cert;
});
_nwStream.AuthenticateAsServer(_cert, true, System.Security.Authentication.SslProtocols.Tls, true);
Any help would be greatly appreciated- Thanks! 任何帮助将不胜感激-谢谢!
Well I don't know why it didn't show up sooner. 好吧,我不知道为什么它没有更快出现。 There is a registry entry at HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL called SendTrustedIssuerList which was set to 0, changing it to 1 resolved the issue.
HKEY_LOCAL_MACHINE \\ System \\ CurrentControlSet \\ Control \\ SecurityProviders \\ SCHANNEL上有一个名为SendTrustedIssuerList的注册表项,该注册表项设置为0,将其更改为1可解决此问题。 This flag is probably by default set to 1 on Windows Server instances.
在Windows Server实例上,此标志可能默认情况下设置为1。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.