1

我目前正在构建一个支持 HTTPS 的 C# 中间代理服务器,并且我正在以一种有点讨厌的方式重新绑定证书,但这是我这个项目所需要的。

我正在使用 BouncyCastle 生成 CA 证书和适用于 HTTP 的证书,并且我注意到它SslStream不会接受任何不是的证书签名算法,MD5WithRSA这意味着 Google Chrome 和 Firefox 将简单地拒绝打开页面,因为它期望SHA1WithRSA它的签名算法。

我用来生成 SSL 流并对其进行身份验证的完整代码块位于http://cdn.afterlifelochie.rocket-it.com.au/temp/proxy-https.c-sharp.txt,但这是简短的返回错误的代码段。

sslStream.AuthenticateAsServer(
    cert, false, SslProtocols.Default | SslProtocols.Tls | 
        SslProtocols.Ssl3 | SslProtocols.Ssl2,  false);

链内带有CA的签名HTTPS证书在哪里cert,包括CA私钥和HTTPS私钥,返回此错误:

SSL-Exception: A call to SSPI failed, see inner exception.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken messag
e, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToke
n message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, A
syncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
t, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes
, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
Request asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToke
n message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, A
syncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
t, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes
, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
Request asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToke
n message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, A
syncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
t, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes
, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
Request asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToke
n message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, A
syncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 coun
t, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes
, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
Request asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byt
e[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyRes
ult)
   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverC
ertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols,
 Boolean checkCertificateRevocation)
   at HTTPProxyServer.ProxyServer.DoHttpProcessing(TcpClient client) in C:\Users
\AfterLifeLochie\Desktop\C#Proxy\ProxyServer.cs:line 324

SSL-Inner-Exception: The specified data could not be decrypted

但是,如果我将第 76 行的参数更改SetSignatureAlgorithm(String Method)MD5withRSAfrom SHA1WithRSA,一切正常,所有数据都正确传输(除了 Google Chrome 的过度安全偏执的“您无法继续”消息)。

这是SslStream证书链、我的身份验证方式还是我忽略的其他问题?

更新 1:我从我的 Windows 2008R2 Active Directory 证书服务器实例中获取了证书和 CA 证书。显然使用该证书工作正常,所以我不确定我做错了什么。我假设这与将证书链接在一起、物理生成有关,或者我缺少重要的主题、用法或扩展/增强用法之一。

更新 2:我意识到每次软件生成新密钥时 CA 证书都会发生变化;这已被更改并锁定,我可以看到指纹和数据没有改变。仍然得到SSL-Inner-Exception: The specified data could not be decrypted虽然。

4

0 回答 0