首页 文章

C#忽略证书错误?

提问于
浏览
129

在对远程Web服务的Web服务请求期间,我收到以下错误:

无法为SSL / TLS安全通道 Build 信任关系 . ---> System.Security.Authentication.AuthenticationException:根据验证程序,远程证书无效 .

反正有没有忽略这个错误,并继续?

似乎远程证书没有签名 .

我连接的网站是 www.czebox.cz - 所以随时访问该网站,并注意甚至浏览器抛出安全例外 .

c# .net ssl

8 回答

  • 2

    添加证书验证处理程序 . 返回 true 将允许忽略验证错误:

    ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;
    回复于
  • 26

    IgnoreBadCertificates Method:

    //I use a method to ignore bad certs caused by misc errors
IgnoreBadCertificates();

// after the Ignore call i can do what ever i want...
HttpWebRequest request_data = System.Net.WebRequest.Create(urlquerystring) as HttpWebRequest;

/*
and below the Methods we are using...
*/

/// <summary>
/// Together with the AcceptAllCertifications method right
/// below this causes to bypass errors caused by SLL-Errors.
/// </summary>
public static void IgnoreBadCertificates()
{
    System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications);
}  

/// <summary>
/// In Short: the Method solves the Problem of broken Certificates.
/// Sometime when requesting Data and the sending Webserverconnection
/// is based on a SSL Connection, an Error is caused by Servers whoes
/// Certificate(s) have Errors. Like when the Cert is out of date
/// and much more... So at this point when calling the method,
/// this behaviour is prevented
/// </summary>
/// <param name="sender"></param>
/// <param name="certification"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns>true</returns>
private static bool AcceptAllCertifications(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certification, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    return true;
}
    回复于
  • 5

    它失败的原因不是因为它没有签名,而是因为客户端不信任根证书 . 而不是关闭SSL验证,另一种方法是将根CA证书添加到您的应用信任的CA列表中 .

    这是您的应用当前不信任的根CA证书:

    ----- BEGIN CERTIFICATE ----- MIIFnDCCBISgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJDWjEs MCoGA1UECgwjxIxlc2vDoSBwb8WhdGEsIHMucC4gW0nEjCA0NzExNDk4M10xHjAc BgNVBAMTFVBvc3RTaWdudW0gUm9vdCBRQ0EgMjAeFw0xMDAxMTkwODA0MzFaFw0y NTAxMTkwODA0MzFaMFsxCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBv xaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEeMBwGA1UEAxMVUG9zdFNpZ251bSBS b290IFFDQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoFz8yBxf 2gf1uN0GGXknvGHwurpp4Lw3ZPWZB6nEBDGjSGIXK0Or6Xa3ZT tVDTeUUjT133G 7Vs51D6z / ShWy 9T7a1f6XInakewyFj8PT0EdZ4tAybNYdEUO / dShg2WvUyfZfXH 0jmmZm6qUDy0VfKQfiyWchQRi / Ax6zXaU2 X3hXBfvRMr5l6zgxYVATEyxCfOLM9 a5U6lhpyCDf2Gg6dPc5Cy6QwYGGpYER1fzLGsN9stdutkwlP13DHU1Sp6W5ywtfL owYaV1bqOOdARbAoJ7q8LO6EBjyIVr03mFusPaMCOzcEn3zL5XafknM36Vqtdmqz IWR 3URAUgqE0wIDAQABo4ICaTCCAmUwgaUGA1UdHwSBnTCBmjAxoC gLYYraHR0 cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NybC9wc3Jvb3RxY2EyLmNybDAyoDCgLoYs aHR0cDovL3d3dzIucG9zdHNpZ251bS5jei9jcmwvcHNyb290cWNhMi5jcmwwMaAv oC2GK2h0dHA6Ly9wb3N0c2lnbnVtLnR0Yy5jei9jcmwvcHNyb290cWNhMi5jcm WW gfEGA1UdIASB6TCB5jCB4wYEVR0gADCB2jCB1wYIKwYBBQUHAgIwgcoagcdUZW50 byBrdmFsaWZpa292YW55IHN5c3RlbW92eSBjZXJ0aWZpa2F0IGJ5bCB2eWRhbiBw b2RsZSB6YWtvbmEgMjI3LzIwMDBTYi4gYSBuYXZhem55Y2ggcHJlZHBpc3UvVGhp cyBxdWFsaWZpZWQgc3lzdGVtIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNjb3Jk aW5nIHRvIExhdyBObyAyMjcvMjAwMENvbGwuIGFuZCByZWxhdGVkIHJlZ3VsYXRp b25zMBIGA1UdEwEB / wQIMAYBAf8CAQEwDgYDVR0PAQH / BAQDAgEGMB0GA1UdDgQW BBQVKYzFRWmruLPD6v5LuDHY3PDndjCBgwYDVR0jBHwweoAUFSmMxUVpq7izwřS7gx2Nzw53ahX6RdMFsxCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBv xaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEeMBwGA1UEAxMVUG9zdFNpZ251bSBS b290IFFDQSAyggFkMA0GCSqGSIb3DQEBCwUAA4IBAQBeKtoLQKFqWJEgLNxPbQNN 5OTjbpOTEEkq2jFI0tUhtRx // 6zwuqJCzfO / KqggUrHBca GV / qXcNzNAlytyM71 FMV / VwgL9gBHTN / IFIw100JbciI23yFQTdF / UoEfK /米IFfirxSRi8LRERdXHTEb vwxMXIzZVXloWvX64UwWtf4Tvw5bAoPj0O1Z2ly4aMTAT2aýz184UhuZ / oGyMw eIakmFM7M7RrNki507jiSLTzuaFMCpyWOX7ULIhzY6xKdm5iQLjTvExn2JTvVChFýjUu / G0zAdLyeU4vaXdQm1A8AEiJPTd0Z9LAxL6Sq2iraLNN36 NyEK / ts3mPLL

    -----结束证书-----

    您可以使用解码和查看此证书

    this certificate decoderanother certificate decoder

    回复于
  • 3

    允许所有证书非常强大,但也可能是危险的 . 如果您只想允许有效证书加上某些证书,可以这样做 .

    System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate (
    object sender,
    X509Certificate cert,
    X509Chain chain,
    SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;   //Is valid
    }

    if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
    {
        return true;
    }

    return false;
};

    Update:

    如何在Chrome中获取 cert.GetCertHashString() 值:

    单击地址栏中的 SecureNot Secure .

    enter image description here

    enter image description here

    然后单击Certificate - > Details - > Thumbprint并复制该值 . 记得做 cert.GetCertHashString().ToLower() .

    enter image description here

    回复于
  • 24

    在客户端配置中禁用ssl证书验证 .

    <behaviors>
   <endpointBehaviors>
      <behavior name="DisableSSLCertificateValidation">
         <clientCredentials>
             <serviceCertificate>
                <sslCertificateAuthentication certificateValidationMode="None" />
              </serviceCertificate>
           </clientCredentials>
        </behavior>
    回复于
  • 288

    这段代码对我有用 . 我不得不添加TLS2,因为这就是我感兴趣的URL所使用的 .

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback +=
    (sender, cert, chain, sslPolicyErrors) => { return true; };
using (var client = new HttpClient())
{
    client.BaseAddress = new Uri(UserDataUrl);
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new
      MediaTypeWithQualityHeaderValue("application/json"));
    Task<string> response = client.GetStringAsync(UserDataUrl);
    response.Wait();

    if (response.Exception != null)
    {
         return null;
    }

    return JsonConvert.DeserializeObject<UserData>(response.Result);
}
    回复于
  • 23

    如果您直接使用套接字并作为客户端进行身份验证,那么Service Point Manager回调方法赢得了't work. Here' s对我有用的功能 . PLEASE USE FOR TESTING PURPOSES ONLY .

    var activeStream = new SslStream(networkStream, false, (a, b, c, d) => { return true; });
await activeStream.AuthenticateAsClientAsync("computer.local");

    这里的关键是在SSL流的构造函数中提供远程证书验证回调权限 .

    回复于
  • 1

    进一步扩展BIGNUM的帖子 - 理想情况下,你想要一个能够模拟你在 生产环境 中看到的条件并修改你的代码的解决方案将不会这样做,如果你在部署代码之前忘记了代码,那么可能会很危险 .

    您将需要某种自签名证书 . 如果您知道自己在做什么,可以使用已发布的二进制BIGNUM,但如果不知道,您可以去寻找证书 . 如果你正在使用IIS Express,你将拥有其中一个,你只需要找到它 . 打开Firefox或您喜欢的任何浏览器,然后转到您的开发网站 . 您应该能够从URL栏查看证书信息,并且根据您的浏览器,您应该能够将证书导出到文件中 .

    接下来,打开MMC.exe,然后添加“证书”管理单元 . 将您的证书文件导入受信任的根证书颁发机构商店,这就是您应该需要的 . 它的重要的是要确保它进入该商店而不是像“个人”这样的其他商店 . 如果您不熟悉MMC或证书,则有许多网站都会提供有关如何执行此操作的信息 .

    现在,您的计算机作为一个整体将隐式信任它自己生成的任何证书,您不需要添加代码来专门处理它 . 当您转到 生产环境 时,如果您在那里安装了正确的有效证书,它将继续工作 . 不要在 生产环境 服务器上执行此操作 - 这样做会很糟糕,除了服务器本身以外的任何其他客户端都不会 .

    回复于

相关问题