[英]understanding server/proxy/client certificates with .NET sslstream
I'm creating a TCP proxy with C# using TcpListener for the proxy server and TcpCLient for the communication between client and proxy and between proxy and target server. 我正在使用C#创建一个TCP代理,使用TcpListener代理服务器,使用TcpCLient代理客户端和代理之间以及代理服务器和目标服务器之间的通信。 This works really nice.
这非常好用。
I also have to support SSL and TLS encrypted communication. 我还必须支持SSL和TLS加密通信。 This works almost well.
这种方法效果很好。 I create a SslStream from the proxy to the target server with this Code:
我使用此代码从代理到目标服务器创建一个SslStream:
var sslStream = new SslStream(remoteStream, false);
sslStream.AuthenticateAsClient(state.RemoteHost);
And I create a SslStream from the proxy to the Client with the following code: 我使用以下代码从代理到客户端创建一个SslStream:
var sslStream = new SslStream(state.ClientStream, false);
sslStream.AuthenticateAsServer(certificate, false, SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2, true);
The certificate is loaded from the X509Store: 证书从X509Store加载:
X509Certificate2 certificate;
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", false);
store.Close();
if (certificates.Count == 0)
{
Console.WriteLine("Server certificate not found...");
return;
}
else
{
certificate = certificates[0];
}
This also works well if i force the clients to trust the certificate manually. 如果我强制客户端手动信任证书,这也很有效。
My questions are: 我的问题是:
I don't want to tunnel the SSL communication threw the proxy because I need to read and manipulate the streams. 我不想隧道SSL通信抛出代理,因为我需要读取和操作流。
[UPDATE] Yes I used Google and the search in StackOverflow and I tried some different solution without any success. [更新]是的我使用谷歌和StackOverflow中的搜索,我尝试了一些不同的解决方案,没有任何成功。 I also tried the solutions in the following threads:
我还尝试了以下线程中的解决方案:
SSLStream example - how do I get certificates that work? SSLStream示例 - 如何获取有效的证书?
How do I identify my server name for server authentication by client in c# 如何在c#中通过客户端识别服务器身份验证的服务器名称
[UPDATE2] This is a very good tutorial to create a CA and a server certificate with openssl, but it doesn't work for me: http://webserver.codeplex.com/wikipage?title=HTTPS&referringTitle=Home [UPDATE2]这是一个非常好的教程,用openssl创建CA和服务器证书,但它对我不起作用: http ://webserver.codeplex.com/wikipage?title = HTTPS&referenceTitle = Home
There is no single certificate which is valid for all requests. 没有一个证书对所有请求都有效。 So my idea doesn't work.
所以我的想法不起作用。 Because it is not possible to generate a single license for every domain name.
因为无法为每个域名生成单个许可证。
But the Answer is easier than expected: To solve my problem I have to create a certificate for every single request. 但答案比预期的要容易:要解决我的问题,我必须为每个请求创建一个证书。
All I need to do is: 我需要做的就是:
(this is completely the same in fiddler) (这在提琴手中完全相同)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.