.NET SslStream AuthenticateAsServer可以尊重客户端发送的服务器名称指示符吗? [英] Can .NET SslStream AuthenticateAsServer respect client-sent Server Name Indicator?

问题描述

客户:访问
1. https://host1.com/
2. https://host2.com/

Client: Visit
1. https://host1.com/
2. https://host2.com/

服务器:有两个证书.
certificate1.pfx CN = host1.com和certificate2.pfx CN = host2.com

Server: There are two certificates.
certificates1.pfx CN=host1.com and certificates2.pfx CN=host2.com

使用wireshark
客户访问 https://host1.com/
1:C-> S SYN
2:C<-S SYN，ACK
3:C-> S ACK
4:C-> S客户端Hello(包含服务器名称:host1.com)
...如何在C#中选择certificate1
5:C<-S服务器Hello，证书，服务器Hello完成

use wireshark
Client visit https://host1.com/
1: C --> S SYN
2: C <-- S SYN,ACK
3: C --> S ACK
4: C --> S Client Hello (Contain Server Name: host1.com)
... How do I select certificate1 in C#
5: C <-- S Server Hello, Certificate, Server Hello Done

客户访问 https://host2.com/
1:C-> S SYN
2:C<-S SYN，ACK
3:C-> S ACK
4:C-> S客户端Hello(包含服务器名称:host2.com)
...如何在C#中选择certificate2
5:c<-S服务器Hello，证书，服务器Hello完成

Client visit https://host2.com/
1: C --> S SYN
2: C <-- S SYN,ACK
3: C --> S ACK
4: C --> S Client Hello (Contain Server Name: host2.com)
... How do I select certificate2 in C#
5: c <-- S Server Hello, Certificate, Server Hello Done

SslStream sslStream = new SslStream(
  clientStream,
  false,
  new RemoteCertificateValidationCallback(ValidateServerCertificate),
  new LocalCertificateSelectionCallback(SelectLocalCertificate)
);

X509Certificate2 certificate = new X509Certificate2("certificates1.pfx");

sslStream.AuthenticateAsServer(certificate , false, SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2, true);

private X509Certificate SelectLocalCertificate(object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers)
{
  //In Debug, targetHost is empty string and remoteCertificate=null
  //I can't return right Certificates
  return null;
}
private bool ValidateServerCertificate( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    return true;
}

推荐答案

使用LocalCertificateSelectionCallback委托(以SslStream作为服务器)无法选择证书.在这种情况下，您只能指定一个证书作为AuthenticateAsServer方法的第一个参数.

It is not possible to select a certificate using a LocalCertificateSelectionCallback delegate with SslStream acting as a server. You can specify only one certificate in this case, as the first parameter for the AuthenticateAsServer method.

The documentation for SslStream Class on MSDN also mentions the usage of the LocalCertificateSelectionCallback delegate on the client:

如果服务器需要客户端身份验证，则客户端必须指定 一个或多个用于身份验证的证书.如果客户有更多 客户可以提供一份以上的证书 LocalCertificateSelectionCallback委托以选择正确的 服务器的证书.

If the server requires client authentication, the client must specify one or more certificates for authentication. If the client has more than one certificate, the client can provide a LocalCertificateSelectionCallback delegate to select the correct certificate for the server.

最后，您可以检查似乎与您的问题有关的问题

And finally you can check this question that seems to be related with your issue Does SslStream use LocalCertificateSelectionCallback when acting as a server?

这篇关于.NET SslStream AuthenticateAsServer可以尊重客户端发送的服务器名称指示符吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！