HttpClient不会在使用.NET Core的Windows上发送客户端证书 [英] HttpClient does not send client certificate on Windows using .NET Core
问题描述
我无法使用HttpClient类在Windows上使用.NET Core发送客户端证书.
I am unable to get the HttpClient class to send a client certificate using .NET Core on Windows.
这是我正在使用的代码:
Here is the code I am using:
X509Certificate2 certificate = new X509Certificate2(@"C:\Repos\selly\client1.pfx", "password");
HttpClientHandler handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.ServerCertificateCustomValidationCallback = (a,b,c,d) => { return true; };
handler.ClientCertificates.Add(certificate);
HttpClient client = new HttpClient(handler);
var content = new StringContent("");
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/json");
client.PostAsync("https://client2:5002/api/values", content).Wait();
代码在Linux(Ubuntu 16.04)上可以正常工作(显然,证书的路径已更改).在Windows上不起作用.
The code works as expected on Linux (Ubuntu 16.04) (obviously, with the path to the certificate changed). It does not work on Windows.
查看Wireshark中的交换,客户端在Windows(10 v1703)上运行时不会发送证书.
Looking at the exchange in Wireshark, the client does not send the certificate when running on Windows (10 v1703).
我已经使用.NET Framework运行了类似的代码(使用"WebRequestHandler"而不是"HttpClientHandler").正确发送了客户端证书.
I have run similar code using .NET Framework (using 'WebRequestHandler' instead of 'HttpClientHandler'). It correctly sends the client certificate.
我在线上找到了以下内容,但是与此处描述的问题不同,服务器证书回调已执行.我确实自己生成了证书,但是它们都由根CA签名(已在客户端和服务器上安装),并且所有详细信息都是正确的.
I found the following online, but unlike the problem described there, the server certificate callback is executed. I did generate the certificates myself, but they are all signed by a Root CA, (which is installed on both client and server) and all the details are correct.
我还发现了此,这表明客户端证书确实可以在Windows的.NET Core上使用HttpClient.
I also found this, which suggests that client certificates do work with HttpClient on .NET Core on Windows.
我也尝试过明确设置TLS版本,但是问题仍然存在.
I have also tried explicitly setting the TLS version, however the problem persists.
我正在使用Kestrel作为Web服务器.它的配置如下:
I am using Kestrel as the web server. It is configured as follows:
.UseKestrel(options =>
{
var sslOps = new HttpsConnectionFilterOptions();
sslOps.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
sslOps.ClientCertificateValidation = CheckClientCertificateLogic.CheckClientCertificate;
sslOps.ServerCertificate = new X509Certificate2(@"C:\Repos\selly\client2.pfx", "password");
options.UseHttps(sslOps);
})
'ClientCertificateValidation'回调不会对从Windows客户端收到的请求执行;可能是因为它没有收到要检查的证书...
The 'ClientCertificateValidation' callback does not execute on requests received from a Windows client; probably because it hasn't received a certificate for it to check...
这是.NET Core中的错误吗?有解决方法吗?
Is this a bug in .NET Core? Is there a workaround?
推荐答案
不完全确定我重现此问题是否是由于相同的根本原因.但是,我遇到了同样的问题,结果是未发送证书,因为客户端无法对其进行验证.将颁发者证书添加到客户端上证书" MMC管理单元中的受信任的颁发者列表之后,Windows可以验证证书,并且HttpClient开始发送它.如果您具有自签名证书,那么我认为您可以将其添加到受信任的颁发者存储中.在.Net 4.6.1上进行了测试.
Not entirely sure if my reproducing this issue is due to the same root cause. However, I had the same problem and it turns out that the certificate is not sent because the client cannot validate it. After adding the issuer certificate to my trusted issuers list in the "Certificates" MMC snap-in on the client, Windows can validate the certificate and HttpClient starts to send it. If you have a self-signed certificate then I assume that you can add that to the trusted issuers store instead. This was tested on .Net 4.6.1.
The relevant code that is setting the client certificate in WinHTTP is here. When you read code comments for GetEligibleClientCertificate, you see that MS has been planning to add additional filtering of the certificates that removes anything that isn't matched by the trusted issuers list. They simply haven't thought about the use case where you keep your certificate in a file and don't care about the certificate store.
这篇关于HttpClient不会在使用.NET Core的Windows上发送客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
