HttpListener-指定可接受的客户端证书CA名称的列表 [英] HttpListener - Specifying the list of acceptable client certificate CA names
问题描述
背景:
我正在使用具有客户端证书身份验证(HttpListener.Request.System.Net.HttpListenerRequest.GetClientCertificate())的System.Net.HttpListener.客户端必须提供要认证的特定客户端证书.在SSL握手中,我可以 看到服务器将所有潜在客户端证书CA名称的列表发送给客户端,很可能是存储在受信任的根证书颁发机构"中的所有证书名称.服务器上的存储.这可能会令人困惑 向客户发送,因为我的服务器只接受一个特定CA颁发的一个证书.
I'm using the System.Net.HttpListener with client certificate authentication (HttpListener.Request.System.Net.HttpListenerRequest.GetClientCertificate()). The client must provide a specific client certificate to be authenticated. In the SSL handshake I can see that the server sends a list of all potential client certificate CA names to the client, it is most likely all the names of the certificates stored in the "Trusted Root Certificatation Authorities" storage on the server. This could be confusing to the client since it is only one certificate issued by one specific CA that is accepted by my server.
问题:
是否可以指定发送给客户端的可接受的客户端证书CA名称的列表,即C#HttpListener的某些配置?我只需要已颁发我的特定客户端证书的CA的名称.
Is it somehow possible to specify the list of acceptable client certificate CA names sent to the client, i.e. some configuration of the C# HttpListener? I only want the name of the CA that has issued my specific client certificate.
推荐答案
在客户端发送证书之前要先协商客户端证书HTTP请求,不是吗?因此,如果有多个HttpListener对象在同一host:port的不同路径前缀处侦听请求,则无法配置单独的 不论Microsoft如何实施,每个客户端证书CA名称的列表.
The client certificate is negotiated before the client sends the HTTP request, isn't it? So if there are multiple HttpListener objects listening for requests at different path prefixes of the same host:port, then it is not possible to configure a separate list of client certificate CA names for each, no matter how Microsoft implemented it.
因此,该功能不太可能在HttpListener级别上可用.应该在网站级别上配置它.也许可以用"netsh http add sslcert sslctlidentifier =< string>"完成.
The feature is therefore not likely to be available at the HttpListener level. It should be configured at the web-site level instead. Perhaps it can be done with "netsh http add sslcert sslctlidentifier=<string>" somehow.
这篇关于HttpListener-指定可接受的客户端证书CA名称的列表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
