简体繁体 English

在C＃中验证SSL证书

[英]Verify SSL certificate in C#

原文 2012-03-14 12:54:15 5 1 c#/ validation/ ssl/ certificate

I'm downloading files from a FTPS server and the server sends a certificate back to me. 我正在从FTPS服务器下载文件，服务器将证书发回给我。

Microsoft states: 微软表示：

When custom validation is not used, the certificate name is compared with host name used to create the request. 如果未使用自定义验证，则会将证书名称与用于创建请求的主机名进行比较。 For example, if Create(String) was passed a parameter of "https://www.contoso.com/default.hmtl", the default behavior is for the client to check the certificate against www.contoso.com. 例如，如果Create（String）传递了参数“https://www.contoso.com/default.hmtl”，则默认行为是客户端针对www.contoso.com检查证书。

The certificate does not pass the default validation (RemoteCertificateNameMismatch). 证书未通过默认验证（RemoteCertificateNameMismatch）。 Right now I use the ServicePointManager.ServerCertificateValidationCallback delegate and provide a delegate that returns true, just "to pass" without any validation. 现在我使用ServicePointManager.ServerCertificateValidationCallback委托并提供一个返回true的委托，只是“传递”而不进行任何验证。 How do I validate the certificate using C#? 如何使用C＃验证证书？

One of the parameters to the delgate mentioned above, X509Certificate certificate, contains two public properties of interest: Issuer and Subject. 上面提到的delgate的一个参数X509Certificate证书包含两个感兴趣的公共属性：Issuer和Subject。 None of the two properties contains any data matching the hostname. 这两个属性都不包含与主机名匹配的任何数据。

1 个解决方案

Usually you must have a valid certificate against the right host name to pass the validation instead of overwriting the callback. 通常，您必须拥有针对正确主机名的有效证书才能通过验证而不是覆盖回调。 What target address did you use to access the FTP server? 您使用什么目标地址来访问FTP服务器？ It should be different from the subject according to your description. 根据您的描述，它应与主题不同。 You may consider to use the subject hostname to access the server instead of current one. 您可以考虑使用主题主机名来访问服务器而不是当前服务器。 You could also set your client hosts file if you have DNS issues with that. 如果您遇到DNS问题，也可以设置客户端主机文件。