调试失败的 HTTPS WebRequest [英] Debugging failing HTTPS WebRequest

问题描述

我正在编写一个小程序，它将使用 HTTPS 和 HttpWebRequest 类向服务器发出 GET 请求.服务器(显然)有一个服务器证书.它还希望客户端提供证书.

I'm writing a small program which will make a GET request to a server using HTTPS and the HttpWebRequest class. The server (obviously) has a server certificate. It also expects the client to provide a certificate.

但是，在提出请求时，我收到 System.Net.WebException，指出无法建立安全的 TLS/SSL 连接.我很快发现服务器的证书无效.假设这是导致异常的原因，我尝试使用以下代码接受无效证书(不幸的是，更新证书不是一种选择):

When making the request, however, I get a System.Net.WebException stating that it wasn't possible to establish a secure TLS/SSL connection. I quickly discovered that the server's certificate wasn't valid. Assuming this was what was causing the exception, I tried to accept the invalid certificate (updating the certificate is, unfortunately, not an option) using the code below:

ServicePointManager.ServerCertificateValidationCallback += delegate {
    return true;
};

然而，这并没有解决问题.

That didn't solve the problem, however.

由于异常没有给出任何细节，所以很难真正确定是什么导致了它.我尝试覆盖无效的服务器证书不起作用吗?我提供的客户端证书是否不受服务器信任?我是否没有以正确的方式加载客户端证书?

Since the exception doesn't give any detail, it's hard to actually determine what is causing it. Is my attempt to override the invalid server certificate not working? Is the client certificate I'm providing not trusted by the server? Am I not loading the client certificate in the proper manner?

我希望获得有关如何调试此类问题的提示.不幸的是，我无权访问服务器或其日志.

I'd love tips on how to debug this sort of problem. I do not have access to the server or its logs, unfortunately.

以下是代码的重要部分:

Below is the important parts of the code:

ServicePointManager.ServerCertificateValidationCallback += delegate {
    return true;
};
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url); // url is an HTTPS URL.
X509Certificate clientCert = new X509Certificate("certificate.crt", "password");
req.ClientCertificates.Add(clientCert);
WebResponse resp = req.GetResponse(); // This fails!

推荐答案

对它进行一些跟踪！在调试这些东西时，跟踪是你最好的朋友.我曾经有一个客户端无法连接到我们启用 SSL 的服务.使用跟踪我发现有人将系统时钟移到我们的证书到期日期之后.但我离题了.

Slap some tracing on it! Traces are your best friend when debugging theese things. I once had one client which couldn't connect to our SSL-enabled service. Using tracing I found that someone had moved the system clock past our certificate expiry date. But I digress.

启用所有适用的跟踪源，并查看日志中是否显示有趣的内容.

Enable all applicable trace sources and see if something interesting show up in the logs.

有一篇旧的(2005 年)但 优秀的帖子，作者 DurgaprasadGorti，你应该检查一下.它会准确地向您显示要添加的源，并且他还会在其中显示一些使用自定义验证回调的 SSL 跟踪.

There's an old (2005) but excellent post by Durgaprasad Gorti that you should check out. It'll show you exactly what sources to add and in it he also shows some SSL traces using a custom validation callback.

来自同一篇博文的示例 app.config:

Example app.config from the very same blog post:

<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
  <system.diagnostics>
    <trace autoflush="true" />
    <sources>
      <source name="System.Net">
        <listeners>
          <add name="MyTraceFile"/>
        </listeners>
      </source>
    </sources>

    <sharedListeners>
      <add
      name="MyTraceFile"
      type="System.Diagnostics.TextWriterTraceListener"
      initializeData="System.Net.trace.log"
    />
    </sharedListeners>

    <switches>
      <add name="System.Net" value="Verbose" />
    </switches>

  </system.diagnostics>
</configuration>

希望能为您提供更多数据.

Hopefully that'll provide you with some more data.

这篇关于调试失败的 HTTPS WebRequest的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！