在生产服务器上使用 SSL 身份验证在 IMAP 上获取链状态 "RevocationStatusUnknown"
Getting chain status "RevocationStatusUnknown" on IMAP with SSL authentication on production server
在我的系统中,客户端告知电子邮件服务的配置,该服务负责发送和接收系统内部的日志通信。
当我尝试使用 MailKit 从生产 Windows 2008 R2 服务器测试与 SSL IMAP 服务器的连接时出现此错误,在 ASP.NET 网站内:
异常:System.Security.Authentication.AuthenticationException:根据验证程序,远程证书无效。
System.Security.Cryptography.X509Certificates.X509ChainStatus 状态:RevocationStatusUnknown - "The revocation function was unable to check revocation for the certificate"
当我尝试从我的电脑或虚拟机 Windows 2008 R2 服务器连接时,连接成功。
而且,当我尝试通过命令行与生产服务器的 OpenSSL.dll 连接时,连接成功。我用相同的代码做了一个控制台应用程序,没有任何改动,这个应用程序可以连接到 IMAP 服务器,但是,当从网站或服务建立连接时,会抛出错误。
代码如下:
//test method
public bool Testar()
{
try
{
using (var client = new MailKit.Net.Imap.ImapClient(new MailKit.ProtocolLogger("IMAP.log")))
{
client.ServerCertificateValidationCallback = VerificarErrosCertificadosServer;
client.Connect(host, this.IsSSl);
client.Authenticate(emailUserName, emailPassword);
var inbox = client.Inbox;
inbox.Open(folderAccess);
client.Disconnect(true);
return true;
}
}
catch (Exception ex)
{
Log.Error(ex);
return false;
}
}
//VerificarErrosCertificadosServer method
private static bool VerificarErrosCertificadosServer(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
Log.Info("System.Security.Cryptography.X509Certificates.X509ChainStatus status: " + status.Status.ToString() + " - " + status.StatusInformation);
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates, untrusted root, but valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// any error
return false;
}
}
}
}
return true;
}
else
{
return false;
}
}
有什么想法吗?
我已将管理员用户添加到网站 appPool 身份,并且成功了。现在,我知道该怎么做了:感谢 @ebyrob.
,我必须向 appPool 和服务添加一个管理员帐户
在我的系统中,客户端告知电子邮件服务的配置,该服务负责发送和接收系统内部的日志通信。 当我尝试使用 MailKit 从生产 Windows 2008 R2 服务器测试与 SSL IMAP 服务器的连接时出现此错误,在 ASP.NET 网站内:
异常:System.Security.Authentication.AuthenticationException:根据验证程序,远程证书无效。 System.Security.Cryptography.X509Certificates.X509ChainStatus 状态:RevocationStatusUnknown - "The revocation function was unable to check revocation for the certificate"
当我尝试从我的电脑或虚拟机 Windows 2008 R2 服务器连接时,连接成功。 而且,当我尝试通过命令行与生产服务器的 OpenSSL.dll 连接时,连接成功。我用相同的代码做了一个控制台应用程序,没有任何改动,这个应用程序可以连接到 IMAP 服务器,但是,当从网站或服务建立连接时,会抛出错误。
代码如下:
//test method
public bool Testar()
{
try
{
using (var client = new MailKit.Net.Imap.ImapClient(new MailKit.ProtocolLogger("IMAP.log")))
{
client.ServerCertificateValidationCallback = VerificarErrosCertificadosServer;
client.Connect(host, this.IsSSl);
client.Authenticate(emailUserName, emailPassword);
var inbox = client.Inbox;
inbox.Open(folderAccess);
client.Disconnect(true);
return true;
}
}
catch (Exception ex)
{
Log.Error(ex);
return false;
}
}
//VerificarErrosCertificadosServer method
private static bool VerificarErrosCertificadosServer(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
Log.Info("System.Security.Cryptography.X509Certificates.X509ChainStatus status: " + status.Status.ToString() + " - " + status.StatusInformation);
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates, untrusted root, but valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// any error
return false;
}
}
}
}
return true;
}
else
{
return false;
}
}
有什么想法吗?
我已将管理员用户添加到网站 appPool 身份,并且成功了。现在,我知道该怎么做了:感谢 @ebyrob.
,我必须向 appPool 和服务添加一个管理员帐户