如何验证LDAP + SSL连接的服务器SSL证书 [英] How to validate server SSL certificate for LDAP+SSL connection
问题描述
我们的应用程序可与Active Directory用户和组一起使用.我们正在端口389上使用LDAP进行Active Directory操作.现在,我们的一位客户希望我们添加使用LDAP + SSL进行Active Directory通信的选项.
他们告诉我们,他们的域上安装了本地CA,并对LDAPS使用自签名证书.他们还告诉我们,他们将提供证书,不需要相互信任,我们应该使用Windows证书存储.
我已经开发了一个用于LDAP + SSL操作的测试应用程序,并且看到服务器在客户端启动LDAP + SSL连接时发送其证书.我只能通过从服务器证书验证方法返回true来建立连接.
问题是; -客户应该给我们哪个证书(根,用于LDAP + SSL的证书...)?
在.Net环境中工作的证书的格式应该是什么?
连接服务器时应如何验证服务器的证书?
我们应该使用Windows证书存储区"是什么意思?他们是否要我们将服务器的证书自动添加到本地计算机的受信任证书存储中?
我用于LDAP + SSL连接的示例代码,
LdapConnection _connection = new LdapConnection(new LdapDirectoryIdentifier(m_DomainName, m_PortNo));
_connection.Timeout = TimeSpan.FromMinutes(10);
_connection.AuthType = AuthType.Basic;
_connection.Credential = new NetworkCredential(m_UserName, m_Password);
_connection.SessionOptions.ProtocolVersion = 3;
_connection.SessionOptions.SecureSocketLayer = true;
_connection.SessionOptions.VerifyServerCertificate = (ldapCon, serverCertificate) =>
{
//TODO: Verify server certificate
return true;
};
_connection.SessionOptions.QueryClientCertificate = (con, trustedCAs) => null;
_connection.Bind();
客户应该给我们哪个证书(根,用于LDAP + SSL的证书...)?
签署LDAP服务器证书的根证书.他们还可以提前给您整个链,但是无论如何将在TLS握手期间发送.您只需要事先拥有根证书即可. 在.Net环境中使用的证书的格式应该是什么? 您可以导入certmgr.msc的所有内容. Pfx是Windows上的常见选择. 连接服务器时应如何验证服务器的证书? 您不应该自己编写验证.证书验证是一项艰巨的任务,已经为您完成.使用内置的东西(另请参见下文). 我们应该使用Windows证书存储区"是什么意思?他们是否要我们将服务器的证书自动添加到本地计算机的受信任证书存储中? 是的.他们向您发送用于签署ldap服务器证书的根证书,然后您可以将其导入为受信任的根.完成此操作后,您无需进行任何手动验证,它将与有效的证书一起使用:),而不对无效的证书起作用. 请注意,一旦将其根证书添加为受信任的证书,他们就可以为安装了其根的客户端伪造任何服务器证书,并且他们签名的任何内容都将在该客户端上视为有效. 奖金:添加半自定义验证和调试证书错误 您可能会遇到的一个问题是错误消息不是很有帮助.如果无法验证证书,您将收到一条非常普通的错误消息,其中没有关于实际问题的提示.您可能还会出于其他原因而参与验证过程. 为此,您可以定义自己的验证: 然后将其添加到ldap连接: 这样,您可以捕获 您可以在此方法中实现的另一件事是证书固定,以提高安全性,但这超出了此答案的范围. Our application works with Active Directory users and groups. We are using LDAP on port 389 for Active Directory operations. Now, one of our clients want us add an option for using LDAP + SSL for Active Directory communication. They told us that they have a local CA installed on their domain and using self signed certificate for LDAPS. They also told us that they will provide the certificate, no mutual-trust needed and we should use Windows certificate store. I have developed a test application for LDAP+SSL operations and saw that server sends its certificate when a client initiates an LDAP+SSL connection. I can establish the connection only by returning true from the server certificate verification method. The questions are;
- Which certificate (root, the ceritificate used for LDAP+SSL...) should the customer give us? What should be the format of the certificate for working on .Net environment? How should I verify the server's certificate when connecting the server? What they mean by "we should use Windows certificate store"? Do they want us add the server's certificate automatically to trusted certificate store of the local machine? Sample code I used for LDAP+SSL connection,
Which certificate (root, the ceritificate used for LDAP+SSL...) should the customer give us? The root certificate that signed the LDAP server cert. They can also give you the whole chain in advance, but that will be sent during TLS handshake anyway. You only need to have the root cert in advance. What should be the format of the certificate for working on .Net environment? Anything that you can import into certmgr.msc. Pfx is the usual choice on Windows. How should I verify the server's certificate when connecting the server? You should not write validation yourself. Certificate validation is tricky business, and it's already done for you. Use the built-in stuff (also see below). What they mean by "we should use Windows certificate store"? Do they want us add the server's certificate automatically to trusted certificate store of the local machine? Yes. They send you the root cert they used for signing the ldap server cert, which you can then import as a trusted root. Once this is done, you don't need to do any manual validation, it will just work™ :) with valid certificates and will not work with invalid ones. Note that once you add their root cert as trusted, they can forge any server certificate for the client their root is installed on, and anything they sign will be considered valid on that client. Bonus: adding semi-custom validation and debugging certificate errors One problem that you may face is that error messages are not very helpful. If the certificate cannot be validated, you will get a very generic error message that has no hint about the actual problem. You may want to hook into the validation process for other reasons too. For this purpose, you can define your own validation: And then add it to the ldap connection: This way you can catch exceptions on Another thing you could implement in this method is certificate pinning for additional security, but that's beyond the scope of this answer. 这篇关于如何验证LDAP + SSL连接的服务器SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!private bool VerifyServerCertificate(LdapConnection ldapConnection, X509Certificate certificate)
{
X509Certificate2 certificate2 = new X509Certificate2( certificate );
return certificate2.Verify();
}
_connection.SessionOptions.VerifyServerCertificate =
new VerifyServerCertificateCallback( VerifyServerCertificate );
Verify()等上的异常.但是同样,如果证书有效(可以由客户端验证),则不是严格要求的,它还是会自动完成.仅当您想要某些未实现的东西时才需要它,例如,您可以在VerifyServerCertificate中返回true来接受任何证书,包括无效的证书(这将是 Bad Idea 并建立安全的连接)没有用,但可能对调试很有用.)LdapConnection _connection = new LdapConnection(new LdapDirectoryIdentifier(m_DomainName, m_PortNo));
_connection.Timeout = TimeSpan.FromMinutes(10);
_connection.AuthType = AuthType.Basic;
_connection.Credential = new NetworkCredential(m_UserName, m_Password);
_connection.SessionOptions.ProtocolVersion = 3;
_connection.SessionOptions.SecureSocketLayer = true;
_connection.SessionOptions.VerifyServerCertificate = (ldapCon, serverCertificate) =>
{
//TODO: Verify server certificate
return true;
};
_connection.SessionOptions.QueryClientCertificate = (con, trustedCAs) => null;
_connection.Bind();
private bool VerifyServerCertificate(LdapConnection ldapConnection, X509Certificate certificate)
{
X509Certificate2 certificate2 = new X509Certificate2( certificate );
return certificate2.Verify();
}
_connection.SessionOptions.VerifyServerCertificate =
new VerifyServerCertificateCallback( VerifyServerCertificate );
Verify() etc. But again, if the certificate is valid (can be verified by the client), this is not strictly needed, it's done automatically anyway. You only need this if you want something not implemented, like for example you could just return true in VerifyServerCertificate to accept any cert including the invalid ones (this would be a Bad Idea and makes a secure connection useless, but may be good for debugging, etc).
