[英]Using Trusted Root Certification Authorities for server certificate validation in HttpClient
I have created a self-signed certificate using 我使用创建了自签名证书
openssl req -x509 -newkey rsa:2048 -keyout https-key.pem -out https.pem -days 365
then I created pkcs12 using (I have set the CN to my server's ip adress): 然后我创建了pkcs12使用(我已将CN设置为我服务器的ip地址):
openssl pkcs12 -export -out https.pfx -inkey https-key.pem -in https.pem -password pass:123456
In my server a use the generated https.pfx
file for https. 在我的服务器中,使用生成的
https.pfx
文件进行https。
In my client I imported the generated certificate into the Windows' Trusted Root Certification Authorities
(Current user and also local system). 在我的客户端中,我将生成的证书导入Windows的“
Trusted Root Certification Authorities
(当前用户和本地系统)。
When I send a HTTP request to the server from my client, I get 当我从客户端向服务器发送HTTP请求时,我得到了
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A security error occurred
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Threading.Tasks.RendezvousAwaitable`1.GetResult()
at System.Net.Http.WinHttpHandler.<StartRequest>d__105.MoveNext()
--- End of inner exception stack trace ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task).
In chrome it says: 在chrome中它说:
Attackers might be trying to steal your information from *** (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Does .NET Core 2.0's HttpClient
use Windows certificate stores? .NET Core 2.0的
HttpClient
是否使用Windows证书存储? What could be causing the issue. 可能导致这个问题的原因。
I would suggest you create a small test application that you can use as a client to test the TLS configuration of the server. 我建议您创建一个小测试应用程序,您可以将其用作客户端来测试服务器的TLS配置。
You can use the SslStream class in .NET to connect to a TLS endpoint and perform the negotiation. 您可以使用.NET中的SslStream类连接到TLS端点并执行协商。 It can return a much more understandable error message than the random HRESULT codes and unhelpful error messages that come out of SChannel.
它可以返回比随机HRESULT代码更容易理解的错误消息以及来自SChannel的无用错误消息。
The test tool can be nothing more than a WinForms app that contains the following code: 测试工具只不过是一个包含以下代码的WinForms应用程序:
public static void q48873455()
{
const string hostname = "localhost";
var tcpClient = new TcpClient();
tcpClient.Connect(hostname, 443);
var tcpStream = tcpClient.GetStream();
using (var sslStream = new SslStream(tcpStream, false, ValidateServerCertificate))
{
sslStream.AuthenticateAsClient(hostname);
}
}
static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
return false;
}
This code established a raw TCP connection to port 443, then uses SslStream
to perform a TLS negotiation. 此代码建立到端口443的原始TCP连接,然后使用
SslStream
执行TLS协商。 During that negotiation, the server will send its certificate, and SslStream
will call the ValidateServerCertificate()
method, passing the certificate
that it received, and providing a value for SslPolicyErrors
which indicates what SChannel thought of the certificate. 在该协商期间,服务器将发送其证书,并且
SslStream
将调用ValidateServerCertificate()
方法,传递它收到的certificate
,并为SslPolicyErrors
提供一个值,该值指示SChannel对证书的看法。
The SslPolicyErrors
value is one of the values listed on MSDN which indicate why (if at all) SChannel thinks the certificate is not trusted. SslPolicyErrors
值是MSDN上列出的值之一,表示SChannel认为证书不可信的原因(如果有的话)。
I tend to find that having a tool such as this around is very helpful when trying to work out why a given certificate is not trusted. 我倾向于发现,在尝试找出给定证书不可信的原因时,拥有这样的工具非常有用。
Hope this helps 希望这可以帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.