[英]How to ignore SSL certificate validation in .Net-Core 2 on CentOS
[英]How to ignore SSL validation in .net core 2.1
我正在嘗試調用部署在 Linux 服務器上的 Web 服務,該服務器具有來自在 .net core 中開發並部署在 IIS 服務器(Windows 服務器 2012)上的應用程序的自簽名證書。
但是當我嘗試調用端點時,會拋出下一個錯誤:
"Message": "無法建立 SSL 連接,請參閱內部異常。", "Description": "InnerError : System.Security.Authentication.AuthenticationException: 身份驗證失敗,請參閱內部異常。---> System.ComponentModel.Win32Exception : Mensaje recibido inesperado, o bien su formato es不正確\\r\\n --- 內部異常堆棧跟蹤結束---\\r\\n 在 System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo 異常)\\r\\n 在 System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)\\r\\n 在 System.Net.Security.SslState.StartSendBlob(Byte[] 傳入,Int32 計數,AsyncProtocolRequest asyncRequest)\\r \\n 在 System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)\\r\\n 在 System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) \\r\\n 在 Sy stem.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)\\r\\n--- 從上一個引發異常的位置的堆棧跟蹤結束---\\r\\n 在 System.Net.Security.SslState.ThrowIfExceptional() \\r\\n 在 System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)\\r\\n 在 System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)\\r\\n 在 System.Net.Security.SslStream.EndAuthenticateAsClient (IAsyncResult asyncResult)\\r\\n 在 System.Net.Security.SslStream.<>c.b__47_1(IAsyncResult iar)\\r\\n 在 System.Threading.Tasks.TaskFactory
1.FromAsyncCoreLogic(IAsyncResult iar, Func
2 endFunction, Action1 endAction, Task
1 promise, Boolean requiresSynchronization)\\r\\n--- 從上一個拋出異常的位置結束堆棧跟蹤---\\r\\n 在 System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken 取消令牌) | stackTrace : 在 System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancelationToken)\\r\\n 在 System.Threading.Tasks.ValueTask1.get_Result()\\r\\n at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)\\r\\n at System.Threading.Tasks.ValueTask
cancelationToken1.get_Result()\\r\\n at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)\\r\\n at System.Threading.Tasks.ValueTask
1.get_Result()\\r\\n 在 System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask)\\r\\n at System.Threading.Tasks.ValueTask
1.get_Result()\\r\\n 在 System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancelationToken)\\r\\n 在 System.Net.Http.RedirectHandler。 SendAsync(HttpRequestMessage request, CancellationToken cancelationToken)\\r\\n 在 System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)\\r\\n 在 ReservasProxy .Data.APIConnection.CallXMLFormDataApiPostAsyc(String body) in C:\\gitProjects\\ResevasProxy\\ReservasProxy\\ReservasProxy\\Data\\APIConnection.cs:line 181\\r\\n
我已經嘗試了下一個解決方案,但它們沒有用。
解決方案1:
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
// Make your request...
//send request
using (var httpClient = new HttpClient(httpClientHandler))
{
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
//var res = await response.Content.ReadAsAsync<T>();
}
}
解決方案2:
//send request
using (var httpClient = new HttpClient())
{
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
}
解決方案 3:嘗試導入證書,然后撥打電話,但仍然無法正常工作。
const string certPath = @"C:\soaProdcer.cer";
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
SslProtocols = System.Security.Authentication.SslProtocols.Tls
};
handler.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(certPath));
//send request
using (var httpClient = new HttpClient(handler))
{
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
}
我使用 OpenSSL 獲得了證書
>openssl s_client -showcerts -connect serversoa:443
No client certificate CA names sent
---
SSL handshake has read 774 bytes and written 493 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 4E0F69C75B8F041101562F7E9B3EA349
Session-ID-ctx:
Master-Key: 61A916A9B8AF26281B5F7A0138DF5E4C2A4B83995E0B3FDD2274BAD0D8E3C2B5E98AA7CCB48A6543F6814C2540B18848
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1558979896
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
我將證書導入到受信任的根證書頒發機構的 IIS 服務器中。
我不記得微軟的鏈接告訴你這個。 您的上述解決方案適用於較舊的 asp.net 核心版本。 這是我為我的項目實現的最新 ASP.NET Core 的解決方案。 我希望它能幫助你。
services.AddHttpClient<IYourService, YourService>()
.ConfigurePrimaryHttpMessageHandler(sp => new HttpClientHandler
{
AllowAutoRedirect = false,
ServerCertificateCustomValidationCallback = (message, certificate2, arg3, arg4) => true,
SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12
});
另請閱讀 HttpClientFactory: https : //docs.microsoft.com/en-us/dotnet/standard/microservices-architecture/implement-resilient-applications/use-httpclientfactory-to-implement-resilient-http-requests
正如 Ilya 所說,這不是 CA 證書頒發機構的問題。 問題是客戶端試圖使用不同版本的 TLS (1.2) 解決方案是指定 TLS 版本。
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
httpClientHandler.SslProtocols = System.Security.Authentication.SslProtocols.Tls;
//send request
using (var httpClient = new HttpClient(httpClientHandler))
{
var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
HttpResponseMessage response = await httpClient.PostAsync(_url, content);
}
}
我使用 Wireshark 來嗅探流量,看看發生了什么......
在我的電腦上完成測試並且測試成功后,我將應用程序部署到 IIS 服務器上。 當我開始在服務器上測試我的應用程序時,它開始拋出與以前相同的異常。
為什么?
因此,如果您像我一樣使用 Windows,則只需檢查證書使用的密碼即可。 正如我之前提到的,Linux 服務器在證書中使用了 CR4 密碼
該錯誤並不表示證書 CA 機構有問題,而是來自服務器的響應,該響應不是預期的 TLS 建立。
由於作者已經弄清楚客戶端支持1.2和服務器1.0並且它引起了麻煩。
PS 如果這是您需要處理的瀏覽器支持選項,我建議僅使用 TLS 1.2。 (只有舊版本不支持 1.2。)
從這里使用下面的示例
var httpClientHandler = new HttpClientHandler();
// Return `true` to allow certificates that are untrusted/invalid
httpClientHandler.ServerCertificateCustomValidationCallback =
HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
var httpClient = new HttpClient(httpClientHandler);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.