如何使用C#中的HttpClient通过IP地址启动与服务器的可信TLS连接?
[英]How to start a trusted TLS connection with a server by IP address using HttpClient in C#?
问题描述
I'm trying to set up a TLS connection to an application running in a (local) VM using C#'s HttpClient on Windows. 
我正在尝试使用Windows上的C# HttpClient建立与(本地)VM中运行的应用程序的TLS连接。 However, it results in a RemoteCertificateNameMismatch error every time. 但是,每次都会导致RemoteCertificateNameMismatch错误。
This piece of code: 这段代码:
HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (request, cert, chain, policyErrors) =>
{
Console.WriteLine($"Policy Errors: {policyErrors}");
return policyErrors == SslPolicyErrors.None;
};
HttpClient httpClient = new HttpClient(handler)
{
BaseAddress = new Uri("https://192.168.99.100/engine-rest")
};
var result = httpClient.GetAsync("/engine").Result;
Results in this error: 结果出现此错误:
Policy Errors: RemoteCertificateNameMismatch
Unhandled Exception: System.AggregateException: One or more errors occurred. (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpxception: A security error occurred
at System.Net.Http.WinHttpRequestCallback.OnRequestSendingRequest(WinHttpRequestState state)
at System.Net.Http.WinHttpRequestCallback.RequestCallback(IntPtr handle, WinHttpRequestState state, UInt32 internetStatus, IntPtr statusInformation, UInt32 statusInformationLength)
However, my certificate is valid according to Google Chrome and Mozilla Firefox, but not for Internet Explorer. 但是,我的证书根据Google Chrome和Mozilla Firefox有效,但不适用于Internet Explorer。
See the screenshot taken from Chrome. 查看从Chrome获取的屏幕截图。 The certificate seems valid. 证书似乎有效。 I've created my own Certificate Authority certificate (self signed certificate), then I used that to create my server certificate. 我已经创建了自己的证书颁发机构证书(自签名证书),然后我用它来创建我的服务器证书。 I filled in the subject name. 我填写了主题名称。 As Subject Alternative Name (SAN) I've added the IP address. 作为主题备用名称(SAN),我添加了IP地址。
Is an IP address field inside the SAN field not supported in IE and HttpClient? IE和HttpClient中不支持SAN字段内的IP地址字段吗? If so, is there some other way of validating a server certificate using an IP address? 如果是这样,是否有其他方法使用IP地址验证服务器证书?
I'm using dotnet core 2.0. 我正在使用dotnet core 2.0。
1 个解决方案
解决方案1
3 已采纳 2018-03-05 15:24:21
Reading up on a similar question I found the following: 阅读类似的问题,我发现了以下内容:
.NET does not support IP addresses as Subject Alternative Names directly because it relies on Schannel to do the verification of the IP address in the cert.
Schannel only looks for the hostname (IP) given in the https request among the "DNS Name=" fields of the cert.
You could try using the 'DNS Name' field. 您可以尝试使用“DNS名称”字段。
Source: Does .NET web service client support SSL cert with IP in Alternate Subject Name 来源: .NET Web服务客户端是否支持使用备用主题名称中的IP的SSL证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.