HTTPS请求过程中验证远程SSL证书 [英] Verify remote SSL certificate during HTTPS request

问题描述

使HTTPS请求远程Web服务器时，我使用的WebRequest，它建立与远程Web服务器的安全连接。在开发过程中，我使用自签名证书的服务器，WebRequest的未能建立安全的连接，因为证书是无效的，这是预期的行为。

When making HTTPS request to remote web server, I use WebRequest, which establishes secure connection with remote web server. During development, I use self-signed cert on server, and WebRequest fails to establish secure connection, since cert is not valid, which is expected behavior.

我发现这个code说，遥控器证书检查，在以下code调用 SetCertificatePolicy（）方法激活。

I have found this code that "remotes" cert check, activated by calling SetCertificatePolicy() method in following code.

public static void SetCertificatePolicy()
{
    ServicePointManager.ServerCertificateValidationCallback
                += RemoteCertificateValidate;
}

/// <summary>
/// Remotes the certificate validate.
/// </summary>
private static bool RemoteCertificateValidate(
    object sender, X509Certificate cert,
    X509Chain chain, SslPolicyErrors error)
{
    // trust any certificate!!!
    System.Console.WriteLine("Warning, trust any certificate");
    return true;
}

我想知道，如果它是可以做到远程SSL证书专项检查（使用上面code，例如），这样我就可以验证远程Web服务器使用有效的SSL证书，而不是任何有效的证书，但正是一个我想要的吗？举例来说，我想确保我说的www.someplace.com网站，发放给ACME公司证书，指纹0点11分22秒：......

I am wondering, if it is possible to do special checks on remote SSL cert (using above code, for instance), so that I can verify that remote web server uses valid SSL cert, and not just any valid cert, but exactly the one I want? For instance, I want to make sure that I'm talking to www.someplace.com website, cert issued to ACME Inc, with fingerprint 00:11:22:.....

什么是最佳实践的方式为这种情况？

What is a "best practice" approach for this scenario?

谢谢！

推荐答案

如果你真的想打钉到一个特定的证书，你可以比较的证书数据（DER格式）的字节[] 在 certificate.GetRawCertData（）。

If you really want to nail it down to one particular certificate, you can compare the certificate data (in DER format) to the byte[] in certificate.GetRawCertData().

您也可以使用 GetCertHashString（）和主题在证书在 RemoteCertificateValidate 让你后的信息。主机名应当在证书的使用者替代名称，或者，如果没有一个使用者替代名称，在主题（专有）名称的CN。考虑到.NET的方式格式化目标字符串，这应该是第一个CN =你寻找

You can also use GetCertHashString() and Subject on the certificate parameter in RemoteCertificateValidate to get the information you're after. The hostname ought to be in the subject alternative name of the certificate or, if there isn't a subject alternative name, in the CN of the subject (distinguished) name. Considering the way .NET formats the subject string, this ought to be the first CN= you find there.

您还将获得更多的数据，如果证书是 X509Certificate2 的实例。然后，您就可以得到 SubjectName 为 X500PrincipalName 也是扩展（检查对象可选名称扩展）。它可能用来解析主题名称是有用的使用工具，如BouncyCastle的。

You'll also get more data if certificate is an instance of X509Certificate2. You'll then be able to get SubjectName as an X500PrincipalName and also the Extensions (to check the subject alternative name extension). It might be useful to use tools such as BouncyCastle for parsing the subject name.

你也有可能获得有关你想在发件人联系的主机名的更多信息，根据其运行时类型。

You're also likely to get more information about the hostname you're trying to contact in the sender, depending on its runtime type.

这篇关于HTTPS请求过程中验证远程SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！