11

这是我第一次必须使用证书身份验证。一个商业伙伴公开了两个服务,一个 XML Web 服务和一个 HTTP 服务。我必须使用 .NET 客户端访问它们。

我试过的

0.设置环境

我已经使用 certmgr.exe 在我的本地计算机(win 7 专业版)中安装了 SSLCACertificates(在 root 和两个中间)和客户端证书。

1.对于网络服务

  • 我有客户证书(der)。
  • 该服务将通过 .NET 代理使用。

这是代码:

OrderWSService proxy = new OrderWSService();
string CertFile = "ClientCert_DER.cer";

proxy.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(CertFile));
orderTrackingTO ot = new orderTrackingTO() { order_id = "80", tracking_id = "82", status = stateOrderType.IN_PREPARATION };
resultResponseTO res = proxy.insertOrderTracking(ot);

在最后的声明中报告了异常:The request failed with an empty response

2.对于HTTP接口

  • 这是我必须通过 POST 方法调用的 HTTPS 接口。
  • HTTPS 请求将使用 HTTPWebRequest 从 .NET 客户端发送。

这是代码:

string PostData = "MyPostData";

//setting the request
HttpWebRequest req;
req = (HttpWebRequest)HttpWebRequest.Create(url);
req.UserAgent = "MyUserAgent";
req.Method = "POST";
req.ContentType = "application/x-www-form-urlencoded";
req.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(CertFile, "MyPassword")); 

//setting the request content
byte[] byteArray = Encoding.UTF8.GetBytes(PostData);
Stream dataStream = req.GetRequestStream();
dataStream.Write(byteArray, 0, byteArray.Length);
dataStream.Close();

//obtaining the response
WebResponse res = req.GetResponse();
r = new StreamReader(res.GetResponseStream());

在最后的声明中报告了异常:The request was aborted: Could not create SSL/TLS secure channel

3. 最后尝试:使用浏览器

在 Chrome 中,安装证书后,如果我尝试访问这两个 url,我会收到 107 错误:

Error 107 (net::ERR_SSL_PROTOCOL_ERROR)

我被困住了。

4

1 回答 1

7

以下内容应该可以帮助您识别问题,这里有两种测试 SSL 连接性的方法,一种是测试站点,另一种是回调方法,以确定 SSL 失败的原因。如果没有别的,它应该让您更好地了解它失败的原因。

调用该方法时,它会弹出选择证书对话框,显然,当您真正执行此操作时,您将希望自动从证书存储中读取。我之所以把它放进去是因为如果没有找到有效的证书,那么你就会知道你的问题出在证书的安装方式上。

最好的办法是将此代码放在一个简单的控制台应用程序中:

using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
using System.Net;

private static void CheckSite(string url, string method)
{
    X509Certificate2 cert = null;
    ServicePointManager.ServerCertificateValidationCallback += ValidateRemoteCertificate;

    X509Store store = new X509Store(StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
    X509Certificate2Collection certcollection = (X509Certificate2Collection)store.Certificates;
    // pick a certificate from the store
    cert = X509Certificate2UI.SelectFromCollection(certcollection, 
            "Caption",
            "Message", X509SelectionFlag.SingleSelection)[0];

    store.Close();

    HttpWebRequest ws = (HttpWebRequest)WebRequest.Create(url);
    ws.Credentials = CredentialCache.DefaultCredentials;
    ws.Method = method;
    if (cert != null)
        ws.ClientCertificates.Add(cert);

    using (HttpWebResponse webResponse = (HttpWebResponse)ws.GetResponse())
    {
        using (Stream responseStream = webResponse.GetResponseStream())
        {
            using (StreamReader responseStreamReader = new StreamReader(responseStream, true))
            {
                string response = responseStreamReader.ReadToEnd();
                Console.WriteLine(response);
                responseStreamReader.Close();
            }

            responseStream.Close();
        }
        webResponse.Close();
    }
}

/// <summary>
/// Certificate validation callback.
/// </summary>
private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors error)
{
    // If the certificate is a valid, signed certificate, return true.
    if (error == System.Net.Security.SslPolicyErrors.None)
    {
        return true;
    }

    Console.WriteLine("X509Certificate [{0}] Policy Error: '{1}'",
        cert.Subject,
        error.ToString());

    return false;
}
于 2012-06-27T11:00:08.940 回答