private static readonly Uri PUSH_URI = new Uri("https://android.apis.google.com/c2dm/send", UriKind.Absolute);
/**
//The following function needs to be wired up in code somewhere else, like this:
ServicePointManager.ServerCertificateValidationCallback += ValidateDodgyGoogleCertificate;
**/
/// <summary>
/// Validates the SSL server certificate. Note this is process-wide code.
/// Wrote a custom one because the certificate used for Google's push endpoint is not for the correct domain. Go Google.
/// </summary>
/// <param name="sender">either a host name string, or an object derived from WebRequest</param>
/// <param name="cert">The certificate used to authenticate the remote party.</param>
/// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param>
/// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param>
/// <returns>
/// Returns a boolean value that determines whether the specified
/// certificate is accepted for authentication; true to accept or false to
/// reject.
/// </returns>
private static bool ValidateDodgyGoogleCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
string hostName = sender as string;
if (hostName == null)
{
WebRequest senderRequest = sender as WebRequest;
if (senderRequest != null)
{
hostName = senderRequest.RequestUri.Host;
}
}
//We want to get past the Google name mismatch, but not allow any other errors
if (sslPolicyErrors != SslPolicyErrors.RemoteCertificateNameMismatch)
{
StringBuilder sb = new StringBuilder();
sb.AppendFormat("Rejecting remote server SSL certificate from host \"{0}\" issued to Subject \"{1}\" due to errors: {2}", hostName, cert.Subject, sslPolicyErrors);
if ((sslPolicyErrors | SslPolicyErrors.RemoteCertificateChainErrors) != SslPolicyErrors.None)
{
sb.AppendLine();
sb.AppendLine("Chain status errors:");
foreach (var chainStatusItem in chain.ChainStatus)
{
sb.AppendFormat("Chain Item Status: {0} StatusInfo: {1}", chainStatusItem.Status, chainStatusItem.StatusInformation);
sb.AppendLine();
}
}
log.Info(sb.ToString());
return false;
}
if (PUSH_URI.Host.Equals(hostName, StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
log.Info("Rejecting remote server SSL certificate from host \"{0}\" issued to Subject \"{1}\" due to errors: {2}", hostName, cert.Subject, sslPolicyErrors);
return false;
}
4 回答
这听起来像Azure中的服务客户端对您正在调用的外部服务的SSL证书不满意 - 您是否可以控制该服务?
您可以使用以下命令来测试此操作,以忽略Azure中客户端的SSL错误:
忽略SSL错误是您可以做的一件事 .
但是,如果它在您的计算机上运行,并且它不需要在您的计算机上打开证书,请转到 Certification Path 并导出路径中的每个证书 .
然后,将这些证书添加到项目中,并将启动任务(.bat或.cmd文件)添加到受信任的根CA:
我将cer添加到我的项目的根目录并选择“始终复制”并使用以下命令使azure连接到具有SSL自签名的服务器
我也断断续续地看到了这个问题 . 在我的情况下,事实证明,获取其中一个根证书的网络连接有时会超时 . 然后在未来的请求它将再次工作 .
我最后编写了一个自定义回调函数,可以让我感兴趣的特定证书尽管有错误,但不会影响其他证书的验证 . 以下是我的代码 . 正如您可能已经知道的那样,我正试图点击Android Cloud 到设备消息传递 endpoints ,并尝试解决Google使用的通配符证书的问题,但它应该是可推广的 . 这也包含我用于诊断特定错误的所有日志记录 . 即使您不想强制验证证书,日志记录代码也可以帮助您决定如何继续 .