C# .NET Core 3.1 无法建立 SSL 连接
C# .NET Core 3.1 The SSL connection could not be established
我在带有客户自签名证书的 SAP docker 容器中使用带有 C# ASP.NET Core 3.1 服务的 OData 服务。
在此期间我尝试了一千种方法,但错误仍然存在。
System.InvalidOperationException: An error occurred while processing
this request. mdt2oowvsap_1 | --->
System.Data.Services.Client.DataServiceTransportException: The SSL
connection could not be established, see inner exception. The remote
certificate is invalid according to the validation procedure.
即使使用 HttpClientHandler.ServerCertificateCustomValidationCallback 和直接 return true 等不安全的解决方案也没有改变任何东西。
public MyService()
{
:
handler = new HttpClientHandler()
{
Credentials = new NetworkCredential(Username, Password, Domain),
PreAuthenticate = true,
ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
logger.LogDebug($"No SSL policy errors!");
return true; //Is valid
}
logger.LogDebug($"Get certificate hash: {cert.GetCertHashString()}");
// From:
if (!String.IsNullOrEmpty(certificateHash) && cert.GetCertHashString().Equals(certificateHash))
{
// Get hash string via: openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
// see:
logger.LogDebug($"Using certificate hash: {certificateHash}");
return true;
}
return false;
},
UseCookies = true,
CookieContainer = cookieContainer
};
String[] files = Directory.GetFiles("./certs/", "*.*", SearchOption.TopDirectoryOnly);
logger.LogInformation($"Found {files.Length} certificate files");
// see:
foreach (string cfile in files)
{
try
{
logger.LogDebug($"Try adding {cfile} as trusted client certificate...");
handler.ClientCertificates.Add(new X509Certificate2(Path.GetFullPath(cfile)));
}catch(Exception e)
{
logger.LogInformation($"Exception while adding certificate file {cfile} to 'ClientCertificates'");
logger.LogError(e.ToString());
}
}
httpClient = new HttpClient(handler);
:
}
最后一次尝试是下载证书并使用 ClientCertificates.Add 将其提供给 HttpClientHandler。没有成功。
使用 curl,传递此证书文件有效。
$> curl --location --request GET 'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
:
$> echo -n | openssl s_client -connect customer.de:1234 -servername customer.de | \
openssl x509 > /full/path/to/customer.cert
depth=0 CN = customer.de
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = customer.de
verify return:1
DONE
$>
$> curl --location --cacert '/full/path/to/customer.cert' --request GET \
'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
<?xml version="1.0" encoding="utf-8"?><app:service xml:lang="de" xml:base="https:blablabla.../></app:service>
$> _
还有人有其他想法吗?
查看的解决方案(不完整):
- c-sharp-ignore-certificate-errors
- the-ssl-connection-could-not-be-established
- c-sharp-core-3-1-getting-error-message-the-ssl-connection-could-not-be-establ
提前致谢。
问题的解决方案是使“自签名”证书可用于 Docker 容器或其包含的操作系统 (Ubuntu) 并提供
cp certs/customer.cert /usr/local/share/ca-certificates/customer.crt &&
update-ca-certificates
现在可以通过 SSL 进行通信了。
我在带有客户自签名证书的 SAP docker 容器中使用带有 C# ASP.NET Core 3.1 服务的 OData 服务。
在此期间我尝试了一千种方法,但错误仍然存在。
System.InvalidOperationException: An error occurred while processing this request. mdt2oowvsap_1 | ---> System.Data.Services.Client.DataServiceTransportException: The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure.
即使使用 HttpClientHandler.ServerCertificateCustomValidationCallback 和直接 return true 等不安全的解决方案也没有改变任何东西。
public MyService()
{
:
handler = new HttpClientHandler()
{
Credentials = new NetworkCredential(Username, Password, Domain),
PreAuthenticate = true,
ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
logger.LogDebug($"No SSL policy errors!");
return true; //Is valid
}
logger.LogDebug($"Get certificate hash: {cert.GetCertHashString()}");
// From:
if (!String.IsNullOrEmpty(certificateHash) && cert.GetCertHashString().Equals(certificateHash))
{
// Get hash string via: openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
// see:
logger.LogDebug($"Using certificate hash: {certificateHash}");
return true;
}
return false;
},
UseCookies = true,
CookieContainer = cookieContainer
};
String[] files = Directory.GetFiles("./certs/", "*.*", SearchOption.TopDirectoryOnly);
logger.LogInformation($"Found {files.Length} certificate files");
// see:
foreach (string cfile in files)
{
try
{
logger.LogDebug($"Try adding {cfile} as trusted client certificate...");
handler.ClientCertificates.Add(new X509Certificate2(Path.GetFullPath(cfile)));
}catch(Exception e)
{
logger.LogInformation($"Exception while adding certificate file {cfile} to 'ClientCertificates'");
logger.LogError(e.ToString());
}
}
httpClient = new HttpClient(handler);
:
}
最后一次尝试是下载证书并使用 ClientCertificates.Add 将其提供给 HttpClientHandler。没有成功。
使用 curl,传递此证书文件有效。
$> curl --location --request GET 'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
:
$> echo -n | openssl s_client -connect customer.de:1234 -servername customer.de | \
openssl x509 > /full/path/to/customer.cert
depth=0 CN = customer.de
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = customer.de
verify return:1
DONE
$>
$> curl --location --cacert '/full/path/to/customer.cert' --request GET \
'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
<?xml version="1.0" encoding="utf-8"?><app:service xml:lang="de" xml:base="https:blablabla.../></app:service>
$> _
还有人有其他想法吗?
查看的解决方案(不完整):
- c-sharp-ignore-certificate-errors
- the-ssl-connection-could-not-be-established
- c-sharp-core-3-1-getting-error-message-the-ssl-connection-could-not-be-establ
提前致谢。
问题的解决方案是使“自签名”证书可用于 Docker 容器或其包含的操作系统 (Ubuntu) 并提供
cp certs/customer.cert /usr/local/share/ca-certificates/customer.crt &&
update-ca-certificates
现在可以通过 SSL 进行通信了。