HTTPs客户端连接到Azure Web App上没有可信链(非可信CA)的服务器 [英] HTTPs Client to connect to server without trusted chain (non trusted CA) on Azure Web App

问题描述

我被困了大约3天，试图连接到具有尚未由受信任的CA签名的证书的服务器-您可以通过Azure门户添加CA的证书-但没有任何影响.

I have been stuck for around 3 days trying to connect to a server that has a certificate which hasn't been signed by a trusted CA - you can add the CA's certificate through Azure Portal - but to no affect.

显然，所有HTTP都使用内核模块(！)HTTP.SYS.

apparently everything HTTP uses a kernel module (!) HTTP.SYS.

我见过的所有建议都可以覆盖其中的建议:

All of the suggestions I have seen to override this either use:

ServicePointManager.ServerCertificateValidationCallback = Communicator.CustomServiceCertificateValidation;

ServicePointManager.ServerCertificateValidationCallback = Communicator.CustomServiceCertificateValidation;

(或请求本身的全局性较小的对象)

(or its less global counterpart on the request itself)

或类似的内容:

 client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication =
                 new X509ServiceCertificateAuthentication()
                 {
                     CertificateValidationMode = X509CertificateValidationMode.Custom,
                     RevocationMode = X509RevocationMode.NoCheck,

                     //TrustedStoreLocation = StoreLocation.CurrentUser,
                     CustomCertificateValidator = new PermissiveCertificateValidator()

                 };

还没有被调用！

一些更重要的细节:

这有效:

  try
        {
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
            using (var wc = new WebClient())
            {
                var res = wc.DownloadString("https://untrusted-root.badssl.com/");
                return Content(res);
            }
        }
        catch (Exception ex)
        {
            return Content(ex.ToString());
        }

但是，我需要使用客户证书进行身份验证-因此，请按照此处的说明进行操作: 如何您是否将证书添加到WebClient(C#)?

Yet, I need to authenticate myself with a client certificate - so, following the instructions found here: How can you add a Certificate to WebClient (C#)?

我最终得到以下代码:

class ATWebClient : WebClient
{
    protected override WebRequest GetWebRequest(Uri address)
    {
        HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);
        request.Headers.Add("SOAPAction", "https://servicos.portaldasfinancas.gov.pt/sgdtws/documentosTransporte/");
        X509Certificate2 cert = new X509Certificate2();
        //From user installed Certificates
        //cert.Import(_pathCertificate, _passwordCertificate, X509KeyStorageFlags.DefaultKeySet);
        //From FileSystem "Resources\Certificates"
        cert.Import(Common.Properties.Resources.testewebservices_novo, "TESTEwebservice", X509KeyStorageFlags.Exportable);

        // Output Certificate 
        //Utils.Log(string.Format("Cert Subject: [{0}], NotBefore: [{1}], NotAfter: [{2}]", cert.Subject, cert.NotBefore, cert.NotAfter));

        request.ClientCertificates.Add(cert);
        request.Method = "POST";
        request.ContentType = "text/xml; charset=utf-8";
        request.Accept = "text/xml";


        return request;
    }

现在我使用以下命令调用服务:

And now I invoke the service with:

   try
    {

        ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
        ServicePointManager.CheckCertificateRevocationList = false;
        ServicePointManager.UseNagleAlgorithm = false;
        using (var wc = new ATWebClient())
        {
            //var res = wc.DownloadString("https://servicos.portaldasfinancas.gov.pt:701/sgdtws/documentosTransporte");
            var res = wc.UploadString("https://servicos.portaldasfinancas.gov.pt:701/sgdtws/documentosTransporte", "Test of content");
            return Content(res);
        }


    }
    catch (Exception ex)
    {
        return Json(ex);
    }

注意，是的，这是一个SOAP端点-我尝试发送有效的SOAP内容，但是在两种情况下结果都是相同的，我得到以下异常:

Note, yes, this is a SOAP endpoint - I tried sending valid SOAP content, yet the result is in both cases the same, I get the following exception:

The underlying connection was closed: An unexpected error occurred on a send.

Stacktrace:

Stacktrace:

   at System.Net.WebClient.UploadDataInternal(Uri address, String method, Byte[] data, WebRequest& request)
   at System.Net.WebClient.UploadString(Uri address, String method, String data)
   at System.Net.WebClient.UploadString(String address, String data)
   at MagniWebApp.Controllers.HomeController.NonTrustedCATestEndpoint() in C:\Users\joao.antunes.Office2\source\repos\07. Platform\WebApp\MagniWebApp\Controllers\HomeController.cs:line 1154

内部异常的消息:

Authentication failed because the remote party has closed the transport stream.

Authentication failed because the remote party has closed the transport stream.

有什么想法吗?！ 死了！

Any ideas?! Halp!

推荐答案

在这样的自定义回调中，硬代码返回true怎么办?

What about hardcode returning true in your custom callback like this?

 public string Ssl()
    {
        try
        {
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
            using (var wc = new WebClient())
            {
                var res = wc.DownloadString("https://untrusted-root.badssl.com/");
                Console.WriteLine(res);
                return res;
            }
        }
        catch (Exception ex)
        {
            return ex.ToString();
        }
    }

这篇关于HTTPs客户端连接到Azure Web App上没有可信链(非可信CA)的服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！