堆栈内存溢出
  简体   繁体   English

无法使用自签名客户端证书来验证对ASP.NET MVC3服务的调用

[英]Cannot authenticate a call to ASP.NET MVC3 service with a self-signed client certificate

 原文  2016-10-14 08:37:29       c#/ asp.net-mvc-3/ ssl/ iis/ certificate

问题描述

I have an ASP.NET MVC3 service running in IIS 7.5 with .NET Framework 4.5 where I want to secure access to one of the subpaths with a client certificate. 我有一个在.NET Framework 4.5的IIS 7.5中运行的ASP.NET MVC3服务,在该服务中,我想使用客户端证书保护对子路径之一的访问。 For that subpath I crafted a controller with is labeled with a specially crafted attribute which would access the request client certificate 对于该子路径,我设计了一个带有特制属性的控制器,该属性将访问请求客户端证书 

public class CheckCertAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(
        ActionExecutingContext filterContext)
    {
        filterContext.HttpContext.Response.Headers.Add(
            "CheckCertAttribute", "entered");
        var cert = filterContext.HttpContext.Request.ClientCertificate;
        // check the cert here, optionally return HTTP 403
    }
}

Initially OnActionExecuting() is being invoked but Certificate is null. 最初, OnActionExecuting()被调用,但是Certificate为null。 Turns out I need to enable SslNegotiateCert in web.config: 原来我需要在web.config中启用SslNegotiateCert 

<location path="PathOfInterest">
<system.webServer>
  <security>
    <access sslFlags="SslNegotiateCert"/>
  </security>
</system.webServer>
</location>

Once I do this the client always receives HTTP 403 and the attribute is no longer invoked. 一旦执行此操作,客户端将始终接收HTTP 403,并且不再调用该属性。

The client certificate is self-signed and exported as .pfx (with a private key) so I guess the problem is that once it arrives on the server side the server doesn't like it and refuses to accept it and pass through. 客户端证书是自签名的,并导出为.pfx(带有私钥),因此我想问题是,一旦它到达服务器端,服务器就不喜欢它并拒绝接受并通过。 The client side uses HttpWebRequest : 客户端使用HttpWebRequest 

var cert = new X509Certificate2(pathToPfx, password);
var request = (HttpWebRequest)WebRequest.Create("https://my.company.com/PathOfInterest");
request.ClientCertificates.Add(cert);
request.GetResponse();

I've already used this approach earlier and it worked. 我之前已经使用过这种方法,并且有效。 The first case was when the client certificate was not self-signed but was signed by an intermediate certificate which in turn was signed by some trusted root authority - in this case my service configured very similarly would receive it just fine. 第一种情况是客户端证书不是自签名的,而是由中间证书签名的,而中间证书又由某些受信任的根颁发机构签名-在这种情况下,我的服务配置非常相似,就可以收到它。 The second case was using a self-signed client certificate to make Azure Management Service calls but in this case I have no idea how the server side is configured. 第二种情况是使用自签名客户端证书进行Azure管理服务调用,但是在这种情况下,我不知道如何配置服务器端。

I therefore came to conclusion that it's a self-signed nature of the certificate which makes it "not working". 因此,我得出的结论是,它是证书的自签名性质,因此使其“无法正常工作”。 I have so do something extra - perhaps add something into web.config or add the certificate into some certificate store on the server side. 我需要做一些额外的事情-也许将一些内容添加到web.config或将证书添加到服务器端的某些证书​​存储中。 I just have no idea what this should be. 我只是不知道这应该是什么。

How do I make this setup work? 如何使该设置起作用?

1 个解决方案

解决方案1
 0 已采纳  2016-10-24 10:50:41

IIS tries to "negotiate" a mutually trusted connection with the client and because the client certificate is self-signed it refuses to trust it. IIS尝试与客户端“协商”相互信任的连接,并且由于客户端证书是自签名的,因此它拒绝信任它。

Your options: 您的选择:

  1. Use a certificate issued by a well known certificate authority. 使用由知名证书颁发机构颁发的证书。 This would work but you'll have to reissue the certificate every year or so. 这会起作用,但是您每年必须大约重新颁发证书。
  2. Run your own CA infrastructure, add its root CA certificate into "trusted root" certificate store of the service machines and issue certificate signed with that root (likely via intermediate certificates). 运行您自己的CA基础结构,将其根CA证书添加到服务机的“受信任的根”证书存储中,并颁发使用该根签名的证书(可能通过中间证书)。
  3. Add the self-signed certificate into "trusted root" of the service machines. 将自签名证书添加到服务机的“受信任的根”中。 This may induce subtle yet serious security risks . 这可能会引发细微但严重的安全风险 I personally am against this option because it feels really unsafe. 我个人反对此选项,因为它确实很不安全。
  4. Switch to some other authentication scheme which doesn't use client certificates. 切换到其他不使用客户端证书的身份验证方案。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用自签名客户端证书修复 asp.net core 3.1 中的 RevocationStatusUnknown - How to fix RevocationStatusUnknown in asp.net core 3.1 with self-signed client certificate 安全错误,在Azure(Asp.net核心)上发布带有客户端证书(自签名根)的邮件 - Security Error, post with Client Certificate (Self-signed Root) on Azure (Asp.net core) OnCertificateValidated 未运行 - 自签名证书客户端身份验证 - ASP.NET Core 和 Kestrel - OnCertificateValidated not running - Self-Signed Certificate Client Authentication - ASP.NET Core and Kestrel Self Hosted Asp Net Core Web 服务器,使用自签名证书进行客户端身份验证 - Self Hosted Asp Net Core Web server, client authentication with self-signed certificates 嵌入在.NET WinForms应用程序中的Flash Player无法加载具有自签名证书的HTTPS内容 - Flash Player embedded in .NET WinForms app cannot load HTTPS content with self-signed certificate Firefox 中的 ASP.NET Core 自签名证书不起作用 - ASP.NET Core Self Signed Certificate in Firefox not working 客户证书 - 我应该使用自签名还是 CA 颁发? - Client certificate - shall I use self-signed or CA issued? SSL自签名证书 - SSL Self-Signed Certificate 专用服务器/客户端的自签名证书安全性 - Self-signed certificate security for private server/client 如何以编程方式为 WCF 服务创建自签名证书? - How to create self-signed certificate programmatically for WCF service?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM