X509Certificate和SSL

Question

尝试使用从.NET创建的Visual Studio2008WSDL3.5“服务引用”对象执行基本的SSL身份验证的网络服务。我们尝试了三种方法: 1)设置客户端证书(以匹配服务器提供的证书)，2)设置服务器提供的存储，3)使用自定义服务器验证器。

.NET异常(下面详细描述)是一致的(对于下面描述的三种方法)“无法与授权机构‘ABC.DEF.com’建立信任关系。”

Ethereal capture是一致的(对于下面描述的三种方法)，并显示了服务器提供的SSL证书版本的正确客户端和服务握手。也就是说，我们可以看到这里描述的所有基本消息(http://en.wikipedia.org/wiki/Transport_Layer_Security#Simple_TLS_handshake)：

客户端-->服务器:客户端问候

服务器-->客户端:服务器问候，证书，服务器问候完成

客户端-->服务器:客户端密钥交换、更改密码规范、加密握手消息

服务器-->客户端:更改密码规范，加密握手消息。

收到last (假设是SSL MAC消息)后，客户端立即关闭(TCP FIN/ACK)连接

1)尝试使用服务器提供的内容设置客户端凭据(期望X509库在SSL协商期间使用它来验证服务器提供的内容，但理解这很可能意味着仅在客户端提供的证书协商期间从客户端提供给服务器)

 X509Certificate2 _cert = new X509Certificate2("\\SomePath\...\ServerSuppliedCert.cer");

        getPrequalInfo_v1 _getInfo = new getPrequalInfo_v1();  // WEB SERVICE-SPECIFIC
        _getInfo.arg0 = GetRequestArgs();             // WEB SERVICE-SPECIFIC
        PreQualBeanClient _preq = new PreQualBeanClient();    // WEB SERVICE-SPECIFIC


        _preq.ClientCredentials.ClientCertificate.Certificate = _cert; 

        getPrequalInfo_v1Response _resp = new getPrequalInfo_v1Response();  // WEB SERVICE-SPECIFIC
        _resp = _preq.getPrequalInfo_v1(_getInfo);  // << EXCEPTION RAISED HERE,    // WEB SERVICE-SPECIFIC

2)尝试创建用于验证服务证书的表面用途的存储(同样，可能是完全错误的方法)

X509Certificate2Collection _collection = new X509Certificate2Collection();
        _store = new X509Store(StoreLocation.CurrentUser);
        _store.Open(OpenFlags.ReadOnly);
        X509Certificate2 _cert = new X509Certificate2("\\SomePath\...\ServerSuppliedCert.cer");
        _collection.Add(_cert);
        _store.AddRange(_collection);
        _store.Close();

        getPrequalInfo_v1 _getInfo = new getPrequalInfo_v1();  // WEB SERVICE-SPECIFIC
        _getInfo.arg0 = GetRequestArgs();             // WEB SERVICE-SPECIFIC
        PreQualBeanClient _preq = new PreQualBeanClient();    // WEB SERVICE-SPECIFIC

        _preq.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode
            = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
        _preq.ClientCredentials.ServiceCertificate.Authentication.TrustedStoreLocation = _store.Location;

        getPrequalInfo_v1Response _resp = new getPrequalInfo_v1Response();  // WEB SERVICE-SPECIFIC
        _resp = _preq.getPrequalInfo_v1(_getInfo);  // << EXCEPTION RAISED HERE,    // WEB SERVICE-SPECIFIC

3)这里我们尝试创建一个客服凭证验证器。请注意，在这种情况下，似乎根本没有调用MyX509CertificateValidator.Validate方法。

            getPrequalInfo_v1 _getInfo = new getPrequalInfo_v1();  // WEB SERVICE-SPECIFIC
        _getInfo.arg0 = GetRequestArgs();             // WEB SERVICE-SPECIFIC
        PreQualBeanClient _preq = new PreQualBeanClient();    // WEB SERVICE-SPECIFIC

        _preq.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode
            = System.ServiceModel.Security.X509CertificateValidationMode.Custom;
        _preq.ClientCredentials.ServiceCertificate.Authentication.CustomCertificateValidator
            = new MyX509CertificateValidator("Name");


        getPrequalInfo_v1Response _resp = new getPrequalInfo_v1Response();  // WEB SERVICE-SPECIFIC
        _resp = _preq.getPrequalInfo_v1(_getInfo);  // << EXCEPTION RAISED HERE,    // WEB SERVICE-SPECIFIC

我们有以下WSDL的相关部分

<soap:address location='https://ABC.DEF.com/.../PreQualBean'/>

.NET异常，这是所描述的三种方法所共有的：

System.ServiceModel.Security.SecurityNegotiationException未处理

Message=“无法与授权机构‘ABC.DEF.com’建立信任关系。”

Source="mscorlib“

StackTrace：

 Server stack trace: 

    at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)

    at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

    at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

..。

w/内部异常InnerException: System.Security.Authentication.AuthenticationException

         Message="The remote certificate is invalid according to the validation procedure."             Source="System"

         StackTrace:

              at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)

              at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

              at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

              at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

..。

Answer 1

客户端似乎不信任签署服务器证书(或链中的某个证书，如果使用中间CA签名)的CA。您可以尝试将服务器证书的签名者添加到客户端的信任存储区。

您还可以获取有关问题的更多详细信息，也可以通过执行以下操作忽略该问题：

      ServicePointManager.ServerCertificateValidationCallback += ValidateServerCertificate;
...
public static bool ValidateServerCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
   // Here you can display the sslPolicyErrors and/or go through the chain to see which certificate(s) is(are) causing the problem.
   return true; // returning true here will probably "fix" your client side problem
}