[英]Why TLS Handshake fails when using a certificate that exposes only public key?
TLS Handshake fails when using a certificate that exposes only public key but it works when use another certificate that exposes private key. 当使用仅公开公钥的证书时,TLS握手失败,但在使用另一个公开私钥的证书时,TLS握手会起作用。 when we use certificate that exposes only public key, it gives "400 Bad Request No required SSL certificate was sent"
当我们使用仅公开公钥的证书时,它会显示“ 400错误请求,未发送必需的SSL证书”
One key difference here is that with 2nd certificate that exposes private, we give permission to Network Service, but as 1st certificate is not exposing private key we're not able to give permission to Network Service. 这里的一个关键区别是,使用公开私钥的第二个证书,我们授予网络服务权限,但是由于第一个证书没有公开私钥,因此我们无法授予网络服务权限。 Both of these certificates are properly installed in the store.
这两个证书均已正确安装在商店中。
Following is sample code: 以下是示例代码:
public string TestCall() {
try {
string url = "Some URL";
string apiKey = "Key Information";
string secret = "Key Secret";
string payload = "Timestamp";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Method = "POST";
request.ContentType = "application/json";
request.SendChunked = false;
request.AllowAutoRedirect = true;
request.Date = DateTime.UtcNow;
var keyStore = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
keyStore.Open(OpenFlags.ReadOnly);
X509Certificate clientCertificate = keyStore.Certificates.Find(X509FindType.FindByThumbprint, ConfigurationManager.AppSettings["ThumbPrint"], true)[0];
request.ClientCertificates.Add(clientCertificate);
var authProvider = new HmacAuthProvider();
var headers = authProvider.GenerateAuthHeaders(apiKey, secret, payload, url);
foreach (var header in headers)
{
request.Headers.Add(header.Key, header.Value);
}
var response = (HttpWebResponse)request.GetResponse();
var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
return responseString;
}
catch (Exception ex)
{
return ex.Message + " " + ex.StackTrace.ToString();
}
}
Any idea what is missing here that certificate without private key is not reaching to the sever. 不知道没有私钥的证书没有到达服务器的任何想法。
Certificate-based authentication requires the possession of private key for a corresponding certificate. 基于证书的身份验证要求拥有对应证书的私钥。 You cannot use only public certificate (without having a private key) for client authentication, you need the private key because it is used to sign TLS handshake data.
您不能仅将公共证书(没有私钥)用于客户端身份验证,您需要私钥,因为它用于签署TLS握手数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.