我有由 IIS 托管的 WCF REST Web 服务,它在 HTTPS 上运行,我在 IIS 上生成证书并将 Https 分配给端口
我是通过IE浏览器生成cer的。我创建了一个测试应用程序,无论是否添加客户端证书,甚至添加了错误的证书,连接都会发生并且我得到正确的响应。我想知道如果没有发送证书,消息是如何解密的。
要么目的地不安全,要么我误解了整件事。 还有
我从回调“CheckValidationResult()”中得到的错误是 CertCN_NO_MATCH = 0x800B010F 或者 “Unknown Certificate Problem”,这种情况下 certificateProblem(CheckValidationResult 的参数)为 0
什么是CertCN_NO_MATCH错误,什么是CN?
见下面的代码。
ServicePointManager.CertificatePolicy = new CertPolicy();
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(String.Format("https://{0}/uri", ip));
//request.ClientCertificates.Add(new X509Certificate("D:\\ThePubKey.cer"));
request.ContentType = "application/x-www-form-urlencoded";
request.Method = "POST";
using (StreamWriter stream = new StreamWriter(request.GetRequestStream()))
{
stream.Write("RequestType=CheckStatus&ReportType=Fulfillment&ReportID=5");
}
using (StreamReader stream = new StreamReader(request.GetResponse().GetResponseStream()))
{
Response.ContentType = "text/xml";
Response.Output.Write(stream.ReadToEnd());
Response.End();
}
class CertPolicy : ICertificatePolicy
{
public enum CertificateProblem : uint
{
CertEXPIRED = 0x800B0101,
CertVALIDITYPERIODNESTING = 0x800B0102,
CertROLE = 0x800B0103,
CertPATHLENCONST = 0x800B0104,
CertCRITICAL = 0x800B0105,
CertPURPOSE = 0x800B0106,
CertISSUERCHAINING = 0x800B0107,
CertMALFORMED = 0x800B0108,
CertUNTRUSTEDROOT = 0x800B0109,
CertCHAINING = 0x800B010A,
CertREVOKED = 0x800B010C,
CertUNTRUSTEDTESTROOT = 0x800B010D,
CertREVOCATION_FAILURE = 0x800B010E,
CertCN_NO_MATCH = 0x800B010F,
CertWRONG_USAGE = 0x800B0110,
CertUNTRUSTEDCA = 0x800B0112
}
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
{
// You can do your own certificate checking.
// You can obtain the error values from WinError.h.
// Return true so that any certificate will work with this sample.
String error = "";
using (StringWriter writer = new StringWriter())
{
writer.WriteLine("Certificate Problem with accessing " + request.RequestUri);
writer.Write("Problem code 0x{0:X8},", (int)certificateProblem);
writer.WriteLine(GetProblemMessage((CertificateProblem)certificateProblem));
error = writer.ToString();
}
return true;
}
private String GetProblemMessage(CertificateProblem Problem)
{
String ProblemMessage = "";
CertificateProblem problemList = new CertificateProblem();
String ProblemCodeName = Enum.GetName(problemList.GetType(), Problem);
if (ProblemCodeName != null)
ProblemMessage = ProblemMessage + "-Certificateproblem:" +
ProblemCodeName;
else
ProblemMessage = "Unknown Certificate Problem";
return ProblemMessage;
}
}
最佳答案
我刚刚回复了 this similar question (in Java) .
CN 是“通用名称”。它应该是您要连接的服务器的主机名(除非它在主题备用名称中)。我从您的代码示例中猜想您正在直接使用 IP 地址。在这种情况下,CN 应该是该 IP 地址(使用主机名比使用 IP 地址往往更好)。参见 RFC 2818 (sec 3.1)规范。
请注意,CN 或主题备用名称是从客户端的角度来看的,因此如果您连接到 https://some.example.com/ ,则证书中的名称应为 some.example.com,如果您连接到 https://localhost/,则证书中的名称应为 localhost,即使 some.example.com 和 localhost 可能是同一台服务器有效地。 (我想默认情况下,IIS 可能会为外部名称生成一个证书,但您必须查看证书才能知道;这应该在某个地方的证书属性中可见。)
关于asp.net - 对证书的困惑,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3092592/