[英]SslStream.AuthenticateAsServer certificate chain
Are possible connect to client as server with certificate chain ? 是否可以通过证书链将客户端连接为服务器?
clientStream.AuthenticateAsServerAsync(certificate, false, System.Security.Authentication.SslProtocols.Tls, false).Wait();
I'm just try connect to client with self-signed certificates chain, and haven't luck. 我只是尝试使用自签名证书链连接到客户端,而且还没有走运。 Method of SslStream instance AuthenticateAsServer have only one certificate as argument. SslStream实例AuthenticateAsServer的方法只有一个证书作为参数。 But browser ask for additional root certificate . 但是浏览器要求其他根证书 。 Have u any minds or code samples how do it ? 您有什么想法或代码示例如何做?
The chain doesn't send the root, because either A) You already have it, so it's redundant to your root store; 链不会发送根,因为以下两个原因之一:A)您已经拥有根,因此对根存储是多余的; or B) You don't, in which case you won't trust it, so why bother? 或B)您不这样做,在这种情况下您将不会信任它,那么为什么要打扰呢?
RFC 5246, section 7.4.2 : RFC 5246第7.4.2节 :
certificate_list: This is a sequence (chain) of certificates. certificate_list:这是证书的序列(链)。 The sender's certificate MUST come first in the list. 发件人的证书必须在列表中排在第一位。 Each following certificate MUST directly certify the one preceding it. 接下来的每份证书必须直接证明之前的证书。 Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. 因为证书验证要求根密钥是独立分发的,所以在假定远程端必须已经拥有根证书才能在任何情况下对其进行验证的前提下,可以从链中省略指定根证书颁发机构的自签名证书。
The SslStream class will send the server identity certificate followed by any intermediates it knows about, but not the root (unless, of course, the server identity certificate is self-signed). SslStream类将发送服务器身份证书,后跟它知道的任何中间设备,但不发送根(当然,服务器身份证书是自签名的)。
Normally untrusted roots can be looked up via the Authority Information Access record they write into their child/intermediate CAs. 通常,可以通过将不可信的根写入其子级/中间级CA的“机构信息访问”记录来查找它们。 If you don't have AIA or the endpoints are unreachable you'll have to transfer the root to the client machine via a different mechanism. 如果没有AIA或端点不可达,则必须通过其他机制将根转移到客户端计算机。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.