我正在使用 SslStream 从 .NET Framework 连接到 Apple 推送通知服务 (APNs)。我正在使用 Binary Provider API 进行连接。作为初始握手的一部分,SslStream 对网络流执行 AuthenticateAsClient。这是相关代码:
_sslStream = new SslStream(_tcpClient.GetStream());
_sslStream.AuthenticateAsClient(_url,
new X509CertificateCollection { _certificate },
SslProtocols.Tls,
true);
_url 是 APNs 主机名,_certificate 是应用程序的推送证书。在大多数计算机(运行 Windows Server 的某个版本)上,这是可以接受的并且通信可以继续。但是,在某些机器上,这会失败。这是确切的错误:
The remote certificate is invalid according to the validation procedure.
代码在 本地系统 权限下作为 Windows 服务 运行。当完全相同的代码在本地用户下作为命令行应用程序运行时,握手被接受并且通信可以继续。使用 pexec -i -s 在 Local System 下运行相同的命令行应用程序会导致相同的错误。我检查了本地计算机 和当前用户 之间的证书存储区是否存在差异,但没有差异。
还测试了“解决方法”。在这种更改后的形式中,前面显示的代码被改编为完全忽略证书。这完全符合您的预期;不检查收到的证书,通信可以继续。这是它的样子:
_sslStream = new SslStream(_tcpClient.GetStream(), false, (sender, certificate, chain, errors) => true);
_sslStream.AuthenticateAsClient(_url,
new X509CertificateCollection { _certificate },
SslProtocols.Tls,
false);
当然,禁用安全性不是一个好主意。什么可能导致握手中断?!
最佳答案
这里的挑战是找出哪些要求没有得到满足。 你可以使用这个: https://github.com/rodneyviana/blogdemos/blob/master/TestServerCertificate.zip
- 解压到任何地方。确保应用程序未被阻止 (右键单击,属性并选中取消阻止(如果存在)
- 以管理员身份打开命令提示符
- 运行此命令进入系统用户上下文:c:\sysinternals\PsExec -i -s cmd.exe
- 在新的提示窗口中,移动到您解压的文件夹 工具
- 使用此语法运行:TestServerCertificate [host] [port]
- 这将保存日志文件和证书中的证书 链接到临时文件夹。
请看下面的例子:
c:\tools>whoami
nt authority\system
c:\tools>TestServerCertificate.exe www.microsoft.com 443
Verify Certificate Details
==========================
Writing logs to C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log
c:\tools>notepad C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log
这是上面命令的实际日志(当然没有错误):
Getting certificate from www.microsoft.com 443
TLS Protocol: Tls12
Strength 256
Certificate at www.microsoft.com
Thumbprint: 8FBE50987D59F8C023492162238250C2ED18176A
Subject: CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Friendly Name:
Issuer name: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Valid until: 1/16/2020 3:24:02 PM
Certificate is valid: True
Number of extensions: 10
Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\certificate_8FBE50987D59F8C023492162238250C2ED18176A.cer
WARNING: Certificate was not found in any location store
Chain Information
=================
Chain revocation flag: ExcludeRoot
Chain revocation mode: Online
Chain verification flag: NoFlag
Chain verification time: 8/11/2018 1:57:30 AM
Chain status length: 0
Chain application policy count: 0
Chain certificate policy count: 0
Chain Element Information
Number of chain elements: 3
Intermediate Certificate
==============================================
Element thumbprint: 8A38755D0996823FE8FA3116A277CE446EAC4E99
Element subject: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Friendly Name:
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/20/2024 7:52:38 AM
Element certificate is valid: True
Element error status length: 0
Element information:
Number of element extensions: 8
Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\Intermediate_8A38755D0996823FE8FA3116A277CE446EAC4E99.cer
Information: Certificate was found installed in store(s) - CurrentUser\CA
ROOT Certificate
==============================================
Element thumbprint: D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Element subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Friendly Name: DigiCert Baltimore Root
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/12/2025 6:59:00 PM
Element certificate is valid: True
Element error status length: 0
Element information:
Number of element extensions: 3
Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\ROOT_D4DE20D05E66FC53FE1A50882C78DB2852CAE474.cer
Information: Certificate was found installed in store(s) - CurrentUser\AuthRoot LocalMachine\AuthRoot CurrentUser\Root LocalMachine\Root
============= End of Report =============
如果日志中有不清楚的问题,请贴在这里进行分析。
- 这需要 .NET 4.5 或更新版本。如果没有,请将 System.Net 跟踪添加到您的配置文件并重现问题,然后将文件发布到此处进行分析:https://learn.microsoft.com/en-us/dotnet/framework/network-programming/how-to-configure-network-tracing
关于.net - 从 .NET 到 APNs 的 SSL/TLS 握手 - 远程证书无效,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51647058/