带有客户端证书的 .Net SslStream
.Net SslStream with Client Certificate
我的 SslStream 项目无法获得客户端证书。无论我做什么,我都无法让它真正使用客户端证书,尽管所有证书都是有效且可信的,而且我已经为我自己生成的证书导入了 CA 证书,但它并没有工作。我一定是遗漏了一些东西,但我已经检查了数十次,查看了文档、示例,并进行了 google 数小时的搜索,但我就是无法让它工作。我做错了什么?
客户:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace SslClient
{
class SslClientProgram
{
static void Main(string[] args)
{
TcpClient client = new TcpClient("localhost", 443);
SslStream stream = new SslStream(client.GetStream(), false, VerifyServerCertificate, null);
Assembly assembly = System.Reflection.Assembly.GetExecutingAssembly();
string location = assembly.Location;
int pos = location.LastIndexOf('\');
location = location.Substring(0, pos);
X509Certificate2 certificate = new X509Certificate2(location + "\my.client.certificate.pfx", "password");
stream.AuthenticateAsClient("my.host.name", new X509Certificate2Collection(certificate), System.Security.Authentication.SslProtocols.Tls, false);
StreamReader reader = new StreamReader(stream);
StreamWriter writer = new StreamWriter(stream);
while (true)
{
string line = System.Console.ReadLine();
writer.WriteLine(line);
writer.Flush();
if (line == "close") break;
line = reader.ReadLine();
System.Console.WriteLine("Received: {0}", line);
}
stream.Close();
}
private static bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
}
}
服务器:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace SslServer
{
class SslServerProgram
{
static void Main(string[] args)
{
TcpListener server = new TcpListener(System.Net.IPAddress.Loopback, 443);
server.Start();
TcpClient client = server.AcceptTcpClient();
SslStream stream = new SslStream(client.GetStream(), false, VerifyClientCertificate, null);
Assembly assembly = System.Reflection.Assembly.GetExecutingAssembly();
string location = assembly.Location;
int pos = location.LastIndexOf('\');
location = location.Substring(0, pos);
X509Certificate2 certificate = new X509Certificate2(location + "\my.server.certificate.pfx", "password");
stream.AuthenticateAsServer(certificate, false, System.Security.Authentication.SslProtocols.Tls, false);
if (stream.RemoteCertificate != null)
{
System.Console.WriteLine(stream.RemoteCertificate.Subject);
}
else
{
System.Console.WriteLine("No client certificate.");
}
StreamReader reader = new StreamReader(stream);
StreamWriter writer = new StreamWriter(stream);
bool clientClose = false;
while (!System.Console.KeyAvailable)
{
System.Console.WriteLine("Waiting for data...");
string line = reader.ReadLine();
System.Console.WriteLine("Received: {0}", line);
if (line == "close")
{
clientClose = true;
break;
}
writer.WriteLine(line);
writer.Flush();
}
if (!clientClose) System.Console.ReadKey();
stream.Close();
server.Stop();
}
private static bool VerifyClientCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
}
}
无论我尝试什么,服务器总是说 "No client certificate."
事实证明,AuthenticateAsServer 是这里的关键 - 更具体地说,是第二个参数。
如果clientCertificateRequired是false,它会完全忽略客户端证书,即使是客户端指定的,但是如果是true,它会允许它们,但是如果未指定客户端证书,则不会抛出异常。
愚蠢的我 - 我认为 clientCertificateRequired 设置为 true 意味着它将 实际需要 ,因为 .Net 文档将其描述为:
"A Boolean value that specifies whether the client must supply a certificate for authentication."* (emphasis mine)
我的预期是,如果它是 true,并且我没有发送客户端证书,那么它将失败。这是 Microsoft 文档不够准确的明显案例。
更新:clientCertificateRequired 参数的 latest documentation 包含短语 "Note that this is only a request -- if no certificate is provided, the server still accepts the connection request."
我的 SslStream 项目无法获得客户端证书。无论我做什么,我都无法让它真正使用客户端证书,尽管所有证书都是有效且可信的,而且我已经为我自己生成的证书导入了 CA 证书,但它并没有工作。我一定是遗漏了一些东西,但我已经检查了数十次,查看了文档、示例,并进行了 google 数小时的搜索,但我就是无法让它工作。我做错了什么?
客户:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace SslClient
{
class SslClientProgram
{
static void Main(string[] args)
{
TcpClient client = new TcpClient("localhost", 443);
SslStream stream = new SslStream(client.GetStream(), false, VerifyServerCertificate, null);
Assembly assembly = System.Reflection.Assembly.GetExecutingAssembly();
string location = assembly.Location;
int pos = location.LastIndexOf('\');
location = location.Substring(0, pos);
X509Certificate2 certificate = new X509Certificate2(location + "\my.client.certificate.pfx", "password");
stream.AuthenticateAsClient("my.host.name", new X509Certificate2Collection(certificate), System.Security.Authentication.SslProtocols.Tls, false);
StreamReader reader = new StreamReader(stream);
StreamWriter writer = new StreamWriter(stream);
while (true)
{
string line = System.Console.ReadLine();
writer.WriteLine(line);
writer.Flush();
if (line == "close") break;
line = reader.ReadLine();
System.Console.WriteLine("Received: {0}", line);
}
stream.Close();
}
private static bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
}
}
服务器:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace SslServer
{
class SslServerProgram
{
static void Main(string[] args)
{
TcpListener server = new TcpListener(System.Net.IPAddress.Loopback, 443);
server.Start();
TcpClient client = server.AcceptTcpClient();
SslStream stream = new SslStream(client.GetStream(), false, VerifyClientCertificate, null);
Assembly assembly = System.Reflection.Assembly.GetExecutingAssembly();
string location = assembly.Location;
int pos = location.LastIndexOf('\');
location = location.Substring(0, pos);
X509Certificate2 certificate = new X509Certificate2(location + "\my.server.certificate.pfx", "password");
stream.AuthenticateAsServer(certificate, false, System.Security.Authentication.SslProtocols.Tls, false);
if (stream.RemoteCertificate != null)
{
System.Console.WriteLine(stream.RemoteCertificate.Subject);
}
else
{
System.Console.WriteLine("No client certificate.");
}
StreamReader reader = new StreamReader(stream);
StreamWriter writer = new StreamWriter(stream);
bool clientClose = false;
while (!System.Console.KeyAvailable)
{
System.Console.WriteLine("Waiting for data...");
string line = reader.ReadLine();
System.Console.WriteLine("Received: {0}", line);
if (line == "close")
{
clientClose = true;
break;
}
writer.WriteLine(line);
writer.Flush();
}
if (!clientClose) System.Console.ReadKey();
stream.Close();
server.Stop();
}
private static bool VerifyClientCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
}
}
无论我尝试什么,服务器总是说 "No client certificate."
事实证明,AuthenticateAsServer 是这里的关键 - 更具体地说,是第二个参数。
如果clientCertificateRequired是false,它会完全忽略客户端证书,即使是客户端指定的,但是如果是true,它会允许它们,但是如果未指定客户端证书,则不会抛出异常。
愚蠢的我 - 我认为 clientCertificateRequired 设置为 true 意味着它将 实际需要 ,因为 .Net 文档将其描述为:
"A Boolean value that specifies whether the client must supply a certificate for authentication."* (emphasis mine)
我的预期是,如果它是 true,并且我没有发送客户端证书,那么它将失败。这是 Microsoft 文档不够准确的明显案例。
更新:clientCertificateRequired 参数的 latest documentation 包含短语 "Note that this is only a request -- if no certificate is provided, the server still accepts the connection request."