.Net 编程 : What to validate on an SSL self-signed certificate-6ren

.Net 编程 : What to validate on an SSL self-signed certificate

转载作者：行者123 更新时间：2023-12-04 17:28:56

我无法让用户为他们的服务器创建真正的证书，但我想做一些安全检查。所以以下内容太轻了，因为在我阅读时，没有对证书进行检查。

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

您建议我让客户检查 x509 证书的哪些内容？鉴于我使用的是 .NET 语言 (c#/f#)。

最佳答案

如果您使用自签名证书，那么您应该期望的唯一错误是根(证书颁发者)上的链错误。我会建议这样的事情，专门针对该链错误进行陷阱，并让所有其他错误都失败。

ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(
    ValidateRemoteCertificate
);

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors )
{
    string trustedIssuer = "CN=www.domain.com";
    string trustedDomain = "CN=www.domain.com";
    bool policyErr = false;

    switch (policyErrors)
    {
        case SslPolicyErrors.None:
            policyErr |= false;
            break;
        case SslPolicyErrors.RemoteCertificateChainErrors:
            bool chainErr = false;
            foreach (X509ChainStatus status in chain.ChainStatus)
            {
                switch (status.Status)
                {
                    case X509ChainStatusFlags.NoError:
                        chainErr |= false;
                        break;
                    case X509ChainStatusFlags.UntrustedRoot:
                        if (certificate.Subject != trustedDomain || certificate.Issuer != trustedIssuer)
                            chainErr |= true;
                        else
                            chainErr |= false;
                        break;
                    default:
                        chainErr |= true;
                        break;
                }                    
            }
            policyErr |= chainErr;
            break;
        default:
            policyErr |= true;
            break;
    }

    return !policyErr;
}