将自定义根 CA 与 HttpClient 结合使用
[英]Using custom root CA with HttpClient
问题描述
In C#, when using HttpClient, how can I connect to the https server that is using either self-signed certificate (for testing) or a custom CA that is not part of the machine's trust-store?
在 C# 中,当使用 HttpClient 时,如何连接到使用自签名证书(用于测试)或不属于机器信任库的自定义 CA 的 https 服务器? Note that I m not needing client certificates, only need HttpClient to validate the server certificate that is not signed by one of the trusted root CA on the machine.请注意,我不需要客户端证书,只需要 HttpClient 来验证未由机器上受信任的根 CA 之一签名的服务器证书。 I know that i could just add the self-signed certificate or the CA to the local trust-store on the machine, but let's say I want to avoid doing this.我知道我可以将自签名证书或 CA 添加到机器上的本地信任库,但假设我想避免这样做。 What i need is basically to supply extra root CA to the running application.我需要的基本上是为正在运行的应用程序提供额外的根 CA。
There are quite simple ways to do this in other languages as I know:据我所知,用其他语言有很简单的方法可以做到这一点:
In java, using "javax.net.ssl.trustStore" system property.
在 java 中,使用“javax.net.ssl.trustStore”系统属性。In Node.js, using NODE_EXTRA_CA_CERT environment variable.
在 Node.js 中,使用 NODE_EXTRA_CA_CERT 环境变量。
But I couldn't find anything like this for.Net so far.但到目前为止,我找不到类似这样的东西。 Is there a simple way like the above?有没有像上面这样的简单方法?
1 个解决方案
解决方案1
0 2022-04-07 20:52:43
I fought with this for a while, there don't seem to be good answers out there other than "write your own callback handler" as user evk mentioned with the link to https://learn.microsoft.com/en-us/do.net/api/system.net.http.httpclienthandler.servercertificatecustomvalidationcallback?view.net-5.0 in the comments above, but that doesn't really explain what should be inside that callback.我为此苦苦挣扎了一段时间,除了用户 evk 在https://learn.microsoft.com/en-us/的链接中提到的“编写你自己的回调处理程序”之外,似乎没有什么好的答案do.net/api/system.net.http.httpclienthandler.servercertificatecustomvalidationcallback?view.net-5.0在上面的评论中,但这并不能真正解释回调中应该包含什么。 Then I stumbled upon this comment https://github.com/do.net/runtime/issues/39835#issuecomment-663020581然后我偶然发现了这条评论https://github.com/do.net/runtime/issues/39835#issuecomment-663020581
Turns out, using a custom root cert is pretty straight forward.事实证明,使用自定义根证书非常简单。 Basically, alter the chain policy to use custom roots, add your custom root, and call build on the chain.基本上,更改链策略以使用自定义根,添加自定义根,然后在链上调用构建。
private static bool ServerCertificateCustomValidation(
HttpRequestMessage requestMessage,
X509Certificate2? certificate,
X509Chain? chain,
SslPolicyErrors sslErrors)
{
if (certificate == null) return false;
if (chain == null) return false;
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
chain.ChainPolicy.CustomTrustStore.Add(GetTrustedRootCert());
return chain.Build(certificate);
}
Keep in mind you may still want to check some other things, like if there are other policy errors.请记住,您可能仍想检查其他一些事项,例如是否存在其他政策错误。 This answer only covers the using a custom trusted root.此答案仅涵盖使用自定义受信任的根。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.