SslStream.AuthenticateAsServer异常-服务器模式SSL必须使用带有关联私钥的证书
[英]SslStream.AuthenticateAsServer exception - The server mode SSL must use a certificate with the associated private key
问题描述
I am developing a proxy server application similar to CCProxy. 
我正在开发类似于CCProxy的代理服务器应用程序。 Its working fine for HTTP but not HTTPS. 它适用于HTTP,但不适用于HTTPS。 Its throwing exception when AuthenticateAsServer() method is called on SslStream object. 在SslStream对象上调用AuthenticateAsServer()方法时,其引发异常。 I also don't know whether I have supplied proper certificate, I don't know how to create a certificate. 我也不知道我是否提供了正确的证书,也不知道如何创建证书。 I just provided the certificate which came with the code that I downloaded online. 我只是提供了在线下载的代码随附的证书。 Here is the code: 这是代码:
private static void DoHttpProcessing(TcpClient client)
{
Stream clientStream = client.GetStream();
Stream outStream = clientStream;
SslStream sslStream = null;
StreamReader clientStreamReader = new StreamReader(clientStream);
CacheEntry cacheEntry = null;
MemoryStream cacheStream = null;
if (Server.DumpHeaders || Server.DumpPostData || Server.DumpResponseData)
{
Monitor.TryEnter(_outputLockObj, TimeSpan.FromMilliseconds(-1.0));
}
try
{
//read the first line HTTP command
String httpCmd = clientStreamReader.ReadLine();
if (String.IsNullOrEmpty(httpCmd))
{
clientStreamReader.Close();
clientStream.Close();
return;
}
//break up the line into three components
String[] splitBuffer = httpCmd.Split(spaceSplit, 3);
String method = splitBuffer[0];
String remoteUri = splitBuffer[1];
Version version = new Version(1, 0);
HttpWebRequest webReq;
HttpWebResponse response = null;
if (splitBuffer[0].ToUpper() == "CONNECT")
{
remoteUri = "https://" + splitBuffer[1];
while (!String.IsNullOrEmpty(clientStreamReader.ReadLine())) ;
StreamWriter connectStreamWriter = new StreamWriter(clientStream);
connectStreamWriter.WriteLine("HTTP/1.0 200 Connection established");
connectStreamWriter.WriteLine(String.Format("Timestamp: {0}", DateTime.Now.ToString()));
connectStreamWriter.WriteLine("Proxy-agent: matt-dot-net");
connectStreamWriter.WriteLine();
connectStreamWriter.Flush();
sslStream = new SslStream(clientStream, false);
try
{
// HERE I RECEIVE EXCEPTION
sslStream.AuthenticateAsServer(_certificate, false, SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2, true);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
sslStream.Close();
clientStreamReader.Close();
connectStreamWriter.Close();
clientStream.Close();
return;
}//further code goes here...
Also, instead of sslStream.AuthenticateAsServer, if I use ssStream.AuthenticateAsClient method I get AuthenticationException with message "A call to SSPI failed, see inner exception." 另外,如果我使用ssStream.AuthenticateAsClient方法,而不是sslStream.AuthenticateAsServer,则会收到AuthenticationException并显示消息“对SSPI的调用失败,请参阅内部异常”。 and InnerException gives message as "The message received was unexpected or badly formatted" 并且InnerException给出消息为“收到的消息意外或格式错误”
When I am using sslstream.AuthenticateAsServer() method, I need to create certificate for each new HTTPS host and pass it with this method. 当我使用sslstream.AuthenticateAsServer()方法时,我需要为每个新的HTTPS主机创建证书,并将其与此方法一起传递。 If I provide the self signed certificate, the request succeeds. 如果我提供了自签名证书,则请求成功。 But problem is, for how many new HTTPS requests will I keep creating certificates manually and assign it to AuthenticateAsServer()? 但是问题是,我将继续手动创建几个新的HTTPS请求并将其分配给AuthenticateAsServer()?
1 个解决方案
解决方案1
0 2013-03-06 23:47:41
For the serverside certificate, most certificates correspond to a FQDN (so server1.localhost.local), although there can be wildcard certs (*.localhost.local). 对于服务器端证书,尽管可以有通配符证书(* .localhost.local),但大多数证书都对应于FQDN(因此为server1.localhost.local)。 When you use AuthenticateAsClient method, that could be one of two things, 1) The Certificate doesnt have the Extended Key Usage for Client Authentication or 2) you didnt pass the right password for it to read the cert/private key. 当您使用AuthenticateAsClient方法时,这可能是两件事之一:1)证书没有用于客户端身份验证的扩展密钥用法,或者2)您没有通过正确的密码来读取证书/私钥。 To get past both these hurdles rather quickly i would suggest creating an OpenSSL CA and then generating a CA and Server Cert. 为了尽快克服这两个障碍,我建议创建一个OpenSSL CA,然后生成一个CA和服务器证书。 There is tons of documentation on how to do this and should take 30 minutes tops for someone who has never created one before....(Also i would suggest exporting the cert into pkcs12 extension for the CA to be chained in with the Server Cert). 关于如何执行此操作,有大量文档,对于从未创建过证书的人来说,应该花30分钟的时间。...(我也建议将证书导出到pkcs12扩展中,以便将CA与服务器证书链接在一起)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.