1. 首页
  2. 问答
  3. AuthenticateAsServer的远程证书根据验证程序

AuthenticateAsServer的远程证书根据验证程序

2015-08-24 35 views
11

我尝试使用下面的代码来创建一个测试客户端/服务器连接是无效的:AuthenticateAsServer的远程证书根据验证程序

static void Main(string[] args) 
    { 
     var listenerThread = new Thread(ListenerThreadEntry); 
     listenerThread.Start(); 

     Thread.Sleep(TimeSpan.FromSeconds(1)); 

     var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP); 
     socket.Connect("localhost", Port); 

     var rawStream = new NetworkStream(socket); 
     var stream = new SslStream(rawStream, false, VerifyServerCertificate); 
     var certificate = new X509Certificate(CertsPath + @"test.cer"); 
     var certificates = new X509CertificateCollection(new[] { certificate }); 
     stream.AuthenticateAsClient("localhost", certificates, SslProtocols.Tls, false); 

     Thread.Sleep(TimeSpan.FromSeconds(1)); 
    } 

    private static bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) 
    { 
     return true; 
    } 

    static void ListenerThreadEntry() 
    { 
     var listener = new TcpListener(IPAddress.Any, Port); 
     listener.Start(); 

     var client = listener.AcceptTcpClient(); 
     var serverCertificate = new X509Certificate2(CertsPath + @"\test.pfx"); 
     var sslStream = new SslStream(client.GetStream(), false); 
     sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Tls, false); 

     Thread.Sleep(TimeSpan.FromSeconds(10)); 
    }

并得到“的远程证书根据无效验证过程“错误消息在AuthenticateAsServer方法中。证书使用以下命令创建并保存到文件中:

makecert.exe -r -pe -n "CN=localhost" -a sha1 -sky exchange -sv test.pvk test.cer 
pvk2pfx -pvk test.pvk -spc test.cer -pfx test.pfx

我错过了什么?

来源

2015-08-24 user626528

回答

2

我不能看到你的过程中添加信任您使用证书进行身份验证。将false作为参数4传递给AuthenticateAsServer()只会跳过对撤销的检查,但不会跳过对信任的检查。

所以,你有以下选择,使其工作:

  • 不生成证书,自己但它通过在Windows默认信任的证书颁发机构产生。这将花费一些钱,但也有一些便宜的CA,它不需要是Thawte证书。
  • 通过将证书导入到个人证书列表中来添加信任
  • 如果您已经创建了一个已经添加到受信任根证书列表的自签名CA证书(这在公司或组织中很常见) ,与CA证书
  • 不验证所有签名的证书(但可能你不希望出现这种情况)

来源

2015-09-02 19:26:42

3

检查这些步骤,似乎是工作,

1)First save the certificate in a file 
2)Run MMC 
3)Open the Certificate Manager (certmgr.msc in C:\Windows\System32) 
4)You will see it opens 'Certificates - Current User' 
5)In the menu, choose File, Add/Remove Snap-In 
6)Now press Add, select 'Certificates' and select 'Computer Account' 
7)Select the Local Computer 
8)Now you have two snap-ins: 
9)Certificates - Current User 
10)Certificates (Local Computer) 
11)Now import the certificate in "Certificates (Local Computer)\Trusted Root Certificates\Certificates"

来源

2015-08-31 19:48:14 sriharichander

+0

我必须将它添加到全局证书存储? – user626528

相关问题

 相关问题