如何使用 FTP over TLS (FTPS) 验证 X.509 证书? [英] How to validate X.509 certificate using FTP over TLS (FTPS)?

问题描述

以下代码可以使用 TLS 连接到 FTP 服务器:

The following code is able to connect to a FTP server using TLS:

private FtpClient getFtpsClient(System.Uri uri) {
    if (uri.Scheme != "ftps") {
        throw new NotImplementedException("Only ftps is implementent");
    }
    var userInfo = uri.UserInfo.Split(":");
    FtpClient client = new FtpClient(uri.Host, userInfo[0], userInfo[1]);
    client.EncryptionMode = FtpEncryptionMode.Explicit;
    client.SslProtocols = SslProtocols.Tls;
    client.ValidateCertificate += new FtpSslValidation(OnValidateCertificate);
    client.Connect();

    void OnValidateCertificate(FtpClient control, FtpSslValidationEventArgs e) {
        var cert2 = new X509Certificate2(e.Certificate);
        e.Accept = cert2.Verify();
    }
    return client;
}

作为库，我使用 FluentFTP.我想知道 X509Certificate2.Verify() 方法是否足以防止安全问题.

As library I use FluentFTP. I wonder, if the method X509Certificate2.Verify() is enough to prevent security issues.

X509Certificate2.Verify() 做什么?参考文档的信息非常少.

What exactly does X509Certificate2.Verify() do? The referenced documentation is very short on information.

它是否会在中间人攻击中失败?

推荐答案

文档得到3 个月前更新，现在回答了这个问题.

The documentation got updated 3 month ago and now anwers the question.

方法 1:如果 SSL 证书没有错误，则连接.

client.ValidateCertificate += new FtpSslValidation(delegate (FtpClient c, FtpSslValidationEventArgs e) {
    if (e.PolicyErrors != System.Net.Security.SslPolicyErrors.None){
        e.Accept = false;
    }else{
        e.Accept = true;
    }
});

方法 2:如果证书与列入白名单的证书匹配，则连接.

首先您必须发现有效证书的字符串.使用此代码将有效的证书字符串保存到文件中:

First you must discover the string of the valid certificate. Use this code to save the valid certificate string to a file:

client.ValidateCertificate += new FtpSslValidation(delegate (FtpClient c, FtpSslValidationEventArgs e) {
    File.WriteAllText(@"C:cert.txt", e.Certificate.GetRawCertDataString());
});

然后最后使用此代码检查收到的证书是否与您信任的证书匹配:

Then finally use this code to check if the received certificate matches the one you trust:

string ValidCert = "<insert contents of cert.txt>";
client.ValidateCertificate += new FtpSslValidation(delegate (FtpClient c, FtpSslValidationEventArgs e) {
    if (e.PolicyErrors == SslPolicyErrors.None || e.Certificate.GetRawCertDataString() == ValidCert) {
        e.Accept = true;
    }else{
        throw new Exception("Invalid certificate : " + e.PolicyErrors);
    }
});

这篇关于如何使用 FTP over TLS (FTPS) 验证 X.509 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！