作为一个团队项目,我需要从 C# 客户端连接到 Java 6.5 SSL 服务器,但是当我到达stream.AuthenticateAsClient 行时,它挂起。
C# 连接代码
public static void connect(string server, Int32 port)
{
try
{
client = new TcpClient(server, port);
stream = new SslStream(client.GetStream(), false);
stream.AuthenticateAsClient("MyCNfield");
...
...
如果我连接到 https://mail.google.com 并将 MyCNfield 设置为 mail.google.com,它工作正常,所以我认为是 Java 端。
Java Init 部分是:
public void initSSL() throws IOException, KeyStoreException, NoSuchAlgorithmException,
CertificateException, UnrecoverableKeyException, KeyManagementException {
char[] passphrase = "scared".toCharArray();
System.out.println(java.security.KeyStore.getDefaultType());
boolean handshakedone=false;
KeyStore keystore1 = KeyStore.getInstance("jks");
FileInputStream fis = new FileInputStream("C:\\\\temp\\\\work.jks");
keystore1.load(fis, passphrase);
fis.close();
KeyStore ksTrust = KeyStore.getInstance("jks");
FileInputStream fis2 = new FileInputStream("C:\\\\temp\\\\work.jks");
ksTrust.load(fis2, passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
// KeyManager's decide which key material to use.
kmf.init(keystore1, passphrase);
// TrustManager's decide whether to allow connections.
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ksTrust);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init( kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLServerSocketFactory sslserversocketfactory =(SSLServerSocketFactory) sslContext.getServerSocketFactory();
sslserversocket =(SSLServerSocket) sslserversocketfactory.createServerSocket(2443);
sslserversocket.setUseClientMode(false);
//Context conte
ServerSocketFactory serversocketfactory =(ServerSocketFactory) sslContext.getServerSocketFactory();
// serverSocket = new ServerSocket(2443);
System.out.println("OK we are set up");
}
它被调用:
sslsocket = (SSLSocket) sslserversocket.accept();
并继续,即使连接未经过完全身份验证。
需要更改哪些内容才能解决此问题:JKS 有一个由我创建的 CA 签名的证书 MyCNfield。如何将证书链导入到我的 C# 中的私有(private) CA,或者如何使用 Java 和 C# 交换自签名证书,然后扔掉我当前的 JKS?
最佳答案
您需要使用RemoteCertificateValidationCallback回调机制来提供证书身份验证。您不应该关闭这个问题,这是很多人可能有的一个有效问题。由于 stackoverflow 出色的 SEO,这个答案是 Google 搜索的第一批点击之一,因此它可能会引导人们走上错误的道路。
使用RemoteCertificateValidationCallback回调。
private readonly bool allowSsl;
// callback used to validate the certificate in an SSL conversation
private static bool ValidateRemoteCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors policyErrors
)
{
if (allowSsl)
{
// allow any certificate...
return true;
}
else
{
return policyErrors == SslPolicyErrors.None;
}
}
以下是如何将它与TCPClient一起使用:
TcpClient client = new TcpClient(machineName,443);
Console.WriteLine("Client connected.");
// Create an SSL stream, specifying the callback above.
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback (ValidateRemoteCertificate),
null
);
关于C# 客户端通过 SSL 连接到 Java 服务器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/719556/