.Net编程:在SSL自签名证书上验证什么
[英].Net Programming: What to validate on an SSL self-signed certificate
问题描述
I cannot get the users to create real certs for their servers but I'd like to do some security checks. 
我无法让用户为他们的服务器创建真正的证书,但我想做一些安全检查。 So the following is too light because, as I read it, there is no checking on the certs. 因此,以下内容太轻,因为在我阅读时, 没有检查证书。
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
What do you recommend that I have the clients check on the x509 cert? 您建议我让客户检查x509证书? Given that I'm using a .NET language (c#/f#). 鉴于我使用的是.NET语言(c#/ f#)。
3 个解决方案
解决方案1
5 2009-07-27 19:50:55
If you're using self signed certs then the only errors you should expect is a chain error on the root (Cert. Issuer). 如果您使用自签名证书,那么您应该期望的唯一错误是根(证书颁发者)上的链错误。 I would suggest something like this that traps for that chain error specifically and lets all other errors fall through. 我会建议像这样的东西,专门捕获链错误,并让所有其他错误落空。
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(
ValidateRemoteCertificate
);
private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors )
{
string trustedIssuer = "CN=www.domain.com";
string trustedDomain = "CN=www.domain.com";
bool policyErr = false;
switch (policyErrors)
{
case SslPolicyErrors.None:
policyErr |= false;
break;
case SslPolicyErrors.RemoteCertificateChainErrors:
bool chainErr = false;
foreach (X509ChainStatus status in chain.ChainStatus)
{
switch (status.Status)
{
case X509ChainStatusFlags.NoError:
chainErr |= false;
break;
case X509ChainStatusFlags.UntrustedRoot:
if (certificate.Subject != trustedDomain || certificate.Issuer != trustedIssuer)
chainErr |= true;
else
chainErr |= false;
break;
default:
chainErr |= true;
break;
}
}
policyErr |= chainErr;
break;
default:
policyErr |= true;
break;
}
return !policyErr;
}
解决方案2
4 2009-07-27 18:57:34
If you can't get the clients to create real certs you should at least try to get them to create certs using your server. 如果您无法让客户端创建真正的证书,您至少应该尝试让他们使用您的服务器创建证书。 Then you can check that the certificate is valid or at least from your CA because you'll know if your CA has been compromised. 然后,您可以检查证书是否有效,或至少从您的CA检查,因为您将知道您的CA是否已被盗用。 If you're trusting any and all CAs there's really nothing worth checking. 如果您信任任何和所有CA,那么真的没什么值得检查的。
解决方案3
1 2012-06-28 19:38:57
if you can check certs you could put your own validation logic in the function ValidateRemoteCertificate 如果您可以检查证书,则可以将自己的验证逻辑放在函数ValidateRemoteCertificate中
System.Net.ServicePointManager.ServerCertificateValidationCallback += (a, b, c, d) =>
{
return ValidateRemoteCertificate(a, b, c, d);
};
private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors policyErrors)
{
if (certificate.Subject.Equals("CN=www.domain.com"))
return true;
else
return policyErrors == SslPolicyErrors.None;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.