如何验证自签名证书 [英] How to validate self-signed certification
问题描述
我会清楚地提供我的问题,所以你可以回答我
我有一个客户端服务器(套接字)连接,我使用SslStream和我知道使用ssl使我确保我的客户端将只连接到我的服务器
为此,我必须添加一个函数到我的客户端验证服务器认证,并确保服务器是真正的(我的服务器)
但我真的不知道如何验证自签名证书,并希望你的帮助
$想想如果证书不是自签名的 - 它由受信任的证书颁发机构签名。它的原因是因为你的客户端设备--Windows,Mac,linux,iphone,android设备已经有所有知名的证书颁发机构的证书。操作系统为您进行连接时的工作。它确保在连接期间发送到客户端的证书由知名的证书颁发机构签名。唯一的原因是,因为客户端已经拥有所有知名证书颁发机构的证书。
如果您选择使用自签名证书证书由自签名证书颁发机构签名 - 您必须做的工作,而不是操作系统。但是 - 任务基本相同 - 您需要验证在连接期间发送到客户端的证书与预期匹配。您需要使用签署证书的相同策略 - 您的客户必须预先安装预期的证书(或证书链)。
某些如何,有些方式,你需要确保你的客户已经有自签名证书。具体所有的公共信息在证书。客户端不会有私钥 - 因为它是私有的。然后,您可以向应用程序添加代码,以验证在连接期间发送的证书的哈希值与预安装的证书的哈希值是否匹配。
我注意到您问前面一个类似的问题,你可能知道这一切已经。这里是一个额外的点:
只要保持自签名证书的私钥是绝对安全的,任何人都不能伪造您的自签名证书。它只是不能做到。如果有人尝试,他们将不得不生成一个新的私人密钥,将不匹配你的 - 因为他们不知道你的私钥,因为你保持它的安全。
然后一切都崩溃了。如果他们有一个不同的私钥,他们将需要一个不同的公钥。这意味着他们将有一个不同的证书哈希。 您的应用程式已经知道正确的公开金钥和哈希(如上所述),因此当他们尝试使用他们的不良公开金钥存取时,您的应用程式会排除连线。这是您在应用程序中必须执行的操作。
如果他们尝试使用您的公钥和散列,但使用不同的私钥,SSL将不允许进行连接。
i will provide you with my question clearly so you can answer me
I have a client-server (socket) connection that i secured using SslStream and as i know using ssl makes me sure that my client will only connect to my server
And to do that i must add a function to my client to validate the server certification and make sure that the server is the real one (my server)
but i really don't get how could i validate my self-signed certification and want your help
Regards, and my thanks in advance
Imagine if the certificate were not self signed - it is signed by a trusted certificate authority. The reason it works is because your client device - windows, mac, linux, iphone, android device already has the certificates of all the well known certificate authorities. The operating system does the work for you when you make the connection. It ensures that the certificate sent to the client during the connection is signed by a well known certificate authority. The only reason this works though is because the client already has the certificates for all the well know certificate authorities.
If you choose to use a self-signed certificate - or a certificate signed by a self-signed certificate authority - you have to do the work, instead of the operating system. However - the task is basically the same - you need to verify that that the certificate sent to the client during the connection matches what is expected. And you will need to use the same strategy that signed certificates use - your client has to have the expected certificate (or certificate chain) pre-installed.
Some how, some way you need to ensure that your client already has the self signed certificate. Specifically all the public information in the certificate. The client will not have the private key - since that is ... private. Then you can add code to your app verify that the hash of the certificate sent during the connection matches the hash of the certificate that was pre-installed.
I noticed you have asked a similar question before and you may know all this already. Here is one additional point:
As long as you keep the private key of your self-signed certificate absolutely secure, there is no way anyone can fake your self signed certificate. It just cannot be done. If someone tries, they will have to generate a new private key which won't match yours - because they do not know your private key because you kept it secure.
Then everything breaks down. If they have a different private key, they will need a different public key. This means they will have a different certificate hash. And your app already knows the correct public key and hash (as described above), so when they try to come in with their bad public key and hash your app will reject the connection. This is part that you have to do in your application.
If they attempt to use your public key and hash but with a different private key, SSL will not allow them to make the connection.
这篇关于如何验证自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
