如果您知道无效的证书是安全的，那么测试X509Certificate.Thumbprint属性是否安全? [英] Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?

问题描述

我正在尝试使用 SmtpClient.Send 以编程方式发送电子邮件.我目前在尝试发送电子邮件时收到 AuthenticationException .这是因为证书验证过程失败.

I'm attempting to send emails programmatically using SmtpClient.Send. I am currently getting an AuthenticationException when attempting to send the email. This is because of the certificate validation procedure failing.

我知道证书是正确的，但是我也理解信任所有证书并不安全，就像这样做的建议一样

I know that the certificate is the correct one, but I also understand that it's not secure to trust all certificates much like the suggestions of doing this:

ServicePointManager.ServerCertificateValidationCallback += 
     (sender, certificate, chain, sslPolicyErrors) => { return true; };

所以我想知道对已知的有效证书指纹进行 Thumbprint 的测试是否足够安全，就像这样:

So I was wondering if testing the Thumbprint for a known valid certificate thumbprint is secure enough, like so:

ServicePointManager.ServerCertificateValidationCallback +=
     (sender, certificate, chain, sslPolicyErrors) =>
     {
         if (sslPolicyErrors == SslPolicyErrors.None)
             return true;
         else if (certificate.GetCertHashString().Equals("B1248012B10248012B"))
             return true;

         return false;
     };

推荐答案

是.

指纹是证书的SHA1哈希，虽然不是绝对不可能，但很难伪造.

The thumbprint is a SHA1 hash of the certificate, and while not absolutely impossible, is extremely difficult to forge.

从技术上讲，目前尚不存在对SHA1的已知可行的第二原像攻击.

In technical terms, there are currently no known feasable second-preimage attacks on SHA1.

但是，如果有任何疑问，您可以使用指纹作为密钥来存储整个证书.然后，您可以将整个证书与您存储的受信任证书进行比较.

However, if in any doubt, you may store the whole certificate, perhaps using the fingerprint as a key. Then you can compare the whole certificate against your stored, trusted certificate.

这篇关于如果您知道无效的证书是安全的，那么测试X509Certificate.Thumbprint属性是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！