堆栈内存溢出
  简体   繁体   English

为什么在使用仅公开公钥的证书时TLS握手失败?

[英]Why TLS Handshake fails when using a certificate that exposes only public key?

 原文  2019-09-07 22:18:37       c#/ x509certificate/ tls1.2/ client-certificates/ public-key

问题描述

TLS Handshake fails when using a certificate that exposes only public key but it works when use another certificate that exposes private key. 当使用仅公开公钥的证书时,TLS握手失败,但在使用另一个公开私钥的证书时,TLS握手会起作用。 when we use certificate that exposes only public key, it gives "400 Bad Request No required SSL certificate was sent" 当我们使用仅公开公钥的证书时,它会显示“ 400错误请求,未发送必需的SSL证书”

One key difference here is that with 2nd certificate that exposes private, we give permission to Network Service, but as 1st certificate is not exposing private key we're not able to give permission to Network Service. 这里的一个关键区别是,使用公开私钥的第二个证书,我们授予网络服务权限,但是由于第一个证书没有公开私钥,因此我们无法授予网络服务权限。 Both of these certificates are properly installed in the store. 这两个证书均已正确安装在商店中。

Following is sample code: 以下是示例代码: 

public string TestCall() { 
    try { 
        string url = "Some URL"; 
        string apiKey = "Key Information"; 
        string secret = "Key Secret"; 
        string payload = "Timestamp";

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
        request.Method = "POST";
        request.ContentType = "application/json";
        request.SendChunked = false;
        request.AllowAutoRedirect = true;
        request.Date = DateTime.UtcNow;

        var keyStore = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
        keyStore.Open(OpenFlags.ReadOnly);

        X509Certificate clientCertificate = keyStore.Certificates.Find(X509FindType.FindByThumbprint, ConfigurationManager.AppSettings["ThumbPrint"], true)[0];
        request.ClientCertificates.Add(clientCertificate);

        var authProvider = new HmacAuthProvider();
        var headers = authProvider.GenerateAuthHeaders(apiKey, secret, payload, url);
        foreach (var header in headers)
        {
            request.Headers.Add(header.Key, header.Value);
        }

        var response = (HttpWebResponse)request.GetResponse();
        var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
        return responseString;
    }
    catch (Exception ex)
    {
        return ex.Message + " " + ex.StackTrace.ToString();
    }
}

Any idea what is missing here that certificate without private key is not reaching to the sever. 不知道没有私钥的证书没有到达服务器的任何想法。

1 个解决方案

解决方案1
 1 已采纳  2019-09-08 09:55:29

Certificate-based authentication requires the possession of private key for a corresponding certificate. 基于证书的身份验证要求拥有对应证书的私钥。 You cannot use only public certificate (without having a private key) for client authentication, you need the private key because it is used to sign TLS handshake data. 您不能仅将公共证书(没有私钥)用于客户端身份验证,您需要私钥,因为它用于签署TLS握手数据。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 客户端/服务器握手使用 RestSharp 失败,但在 Postman 和使用 Fiddler 作为代理时工作正常。 证书长度 0 - Client / Server Handshake fails using RestSharp, but works fine on Postman and when using Fiddler as proxy. Certificate length 0 服务器模式 SSL 必须使用具有关联私钥的证书 - 在 TLS 握手期间 - The server mode SSL must use a certificate with the associated private key - during TLS handshake 来自…tls的TLS握手错误:客户端未提供证书 - TLS handshake error from … tls: client didn't provide a certificate 要求SslStream仅接受由特定公钥签名的证书 - Asking SslStream to accept ONLY a certificate signed by a particular public key 仅允许TLS 1.0后,仍可以进行TLS 1.2握手 - TLS 1.2 handshake still possible after only allowing TLS 1.0 在 Service Fabric 应用程序中禁用 TLS 握手客户端证书请求 - Disable TLS Handshake Client Certificate Request in Service Fabric Application 从公钥创建证书 - Create certificate from public key 从证书中提取公钥 - Extract public key from certificate 使用公钥证书激活产品 - Product activation with public key certificate 无法使用xml(X509Certificate2)中提供的证书公用密钥来验证签名值 - Can't validate signature value using certificate public key provided in an xml (X509Certificate2)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM