我尝试在 Windows 上使用 C# 的 HttpClient 建立与在(本地)VM 中运行的应用程序的 TLS 连接。但是,它每次都会导致 RemoteCertificateNameMismatch 错误。
这段代码:
HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (request, cert, chain, policyErrors) =>
{
Console.WriteLine($"Policy Errors: {policyErrors}");
return policyErrors == SslPolicyErrors.None;
};
HttpClient httpClient = new HttpClient(handler)
{
BaseAddress = new Uri("https://192.168.99.100/engine-rest")
};
var result = httpClient.GetAsync("/engine").Result;
导致此错误:
Policy Errors: RemoteCertificateNameMismatch
Unhandled Exception: System.AggregateException: One or more errors occurred. (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpxception: A security error occurred
at System.Net.Http.WinHttpRequestCallback.OnRequestSendingRequest(WinHttpRequestState state)
at System.Net.Http.WinHttpRequestCallback.RequestCallback(IntPtr handle, WinHttpRequestState state, UInt32 internetStatus, IntPtr statusInformation, UInt32 statusInformationLength)
但是,根据 Google Chrome 和 Mozilla Firefox,我的证书有效,但不适用于 Internet Explorer。
查看从 Chrome 截取的屏幕截图。该证书似乎有效。我已经创建了我自己的证书颁发机构证书(自签名证书),然后我用它来创建我的服务器证书。我填写了主题名称。作为主题备用名称 (SAN),我添加了 IP 地址。
IE和HttpClient不支持SAN字段里面的IP地址字段吗?如果是这样,是否有其他方法可以使用 IP 地址验证服务器证书?
我正在使用 dotnet core 2.0。
最佳答案
阅读类似的问题,我发现了以下内容:
.NET does not support IP addresses as Subject Alternative Names directly because it relies on Schannel to do the verification of the IP address in the cert.
Schannel only looks for the hostname (IP) given in the https request among the "DNS Name=" fields of the cert. So if you could get a CA to give you a cert with the IP addresses listed in the "DNS Name=" fields then it would probably work.
您可以尝试使用“DNS 名称”字段。
来源:Does .NET web service client support SSL cert with IP in Alternate Subject Name
关于c# - 如何在 C# 中使用 HttpClient 通过 IP 地址启动与服务器的可信 TLS 连接?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49113544/