如何指定用于.NET SslStream客户端身份验证证书的认可 [英] How to specify accepted certificates for Client Authentication in .NET SslStream

问题描述

我在尝试使用.NET System.Security.SslStream类与客户端身份验证过程中的SSL / TLS流的服务器端。

I am attempting to use the .Net System.Security.SslStream class to process the server side of a SSL/TLS stream with client authentication.

要执行握手，我用这code：

To perform the handshake, I am using this code:

SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback);
sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);

不幸的是，这将导致SslStream传送包含在我的CryptoAPI的受信任的根存储的所有证书的SUBJECTNAMES一个CertificateRequest。

Unfortunately, this results in the SslStream transmitting a CertificateRequest containing the subjectnames of all certificates in my CryptoAPI Trusted Root Store.

我希望能够重写此。这不是我需要用户从受信任的根存储中安装或删除证书的选项。

I would like to be able to override this. It is not an option for me to require the user to install or remove certificates from the Trusted Root Store.

它看起来像SslStream使用SSPI / SecureChannel底下，所以如果有人知道如何做相当于与该API，这将是有帮助的，太。

It looks like the SslStream uses SSPI/SecureChannel underneath, so if anyone knows how to do the equivalent with that API, that would be helpful, too.

任何想法？

推荐答案

它看起来并不像这样使用.NET库，目前可能。

It does not look like this is currently possible using the .NET libraries.

我通过使用单类库实现System.Security.SslStream，它给人以握手期间覆盖服务器性能更好的访问的解决了这个问题。

I solved it by using the Mono class library implementation of System.Security.SslStream, which gives better access to overriding the servers behavior during the handshake.

这篇关于如何指定用于.NET SslStream客户端身份验证证书的认可的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！