无法创建SSL / TLS安全通道-HttpWebRequest
[英]Could not create SSL/TLS secure channel - HttpWebRequest
问题描述
I am trying to make a connection to my kubernetes api and cant seem to get SSL to work from C#. 
我试图建立与我的kubernetes api的连接,但似乎无法从C#使SSL正常工作。
When i run the following via curl, everything seems to work as expected: 当我通过curl运行以下命令时,一切似乎都按预期工作:
And I have this for c# to do the same: 我有这样的C#做同样的事情:
try
{
// use the TLS protocol
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
// create HTTP web request with proper content type
HttpWebRequest request = WebRequest.Create(Constants.K8_API_RC_URI) as HttpWebRequest;
request.ContentType = "application/json;charset=UTF8";
request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + Constants.K8_TOKEN);
// load the X.509 certificate and add to the web request
X509Certificate cert = new X509Certificate(Constants.K8_CRT);
request.ClientCertificates.Add(cert);
// call the web service and get response
WebResponse response = request.GetResponse();
Stream responseStream = response.GetResponseStream();
string jsonContents = new StreamReader(responseStream).ReadToEnd();
}
catch (Exception exc)
{
// log and print out error
log.Info(exc.Message);
}
Where 哪里
Constants.K8_CRT is the Path to ca.crt
and ca.crt contains the following: 并且ca.crt包含以下内容:
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIIcwd9rrnaPcowDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAwwIYWNzazhz
and more letters.......
cwSfuIp7e49KC3HSqcU3Mz4oFNm5bw==
-----END CERTIFICATE-----
I get the following error: 我收到以下错误:
Could not create SSL/TLS secure channel.
PS I know there are Kubernetes clients for .Net out there and I have tried just about all of them but since I am integrating this with Azure Functions most of the third party libraries do not work for various reasons. PS我知道那里有.Net的Kubernetes客户端,我已经尝试了所有的客户端,但是由于我将其与Azure Functions集成在一起,因此大多数第三方库由于各种原因而无法工作。
2 个解决方案
解决方案1
1 已采纳 2018-01-09 16:32:26
The CA cert should be used to validate server cert chain, not passed as an ClientCertificate. CA证书应用于验证服务器证书链,而不应作为ClientCertificate传递。
Here is an example. 这是一个例子。
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => {
if (errors == SslPolicyErrors.None) return true;
X509Certificate2 serverCert = new X509Certificate2(certificate);
X509Certificate2 caCert = new X509Certificate2(@"./ca.cert");
chain.ChainPolicy.ExtraStore.Add(caCert);
chain.Build(serverCert);
foreach (var chainStatus in chain.ChainStatus) {
if (chainStatus.Status == X509ChainStatusFlags.UntrustedRoot) continue;
if (chainStatus.Status != X509ChainStatusFlags.NoError) return false;
}
return true;
};
HttpWebRequest request = WebRequest.CreateHttp("https://master:6443/api/v1");
request.Headers[HttpRequestHeader.Authorization] = "Bearer " + "SOME_TOKEN";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
var content = new StreamReader(response.GetResponseStream()).ReadToEnd();
Console.WriteLine(content);
解决方案2
0 2018-01-09 16:26:48
Thanks for @Jimi's comments i was able to get this to work with adding the following: 感谢@Jimi的评论,我能够通过添加以下内容使它起作用:
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
return true; // **** Always accept
};
NOTE: Im certain this just ignores the SSL validation and continues without it. 注意:我确定这只是忽略SSL验证,并且继续不进行SSL验证。 In our case this may be acceptable. 就我们而言,这是可以接受的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.