0

我有一个小型 C# 应用程序,它使用 WebClient 通过 HTTPS(URL 以 https:// 开头)从 Web 服务下载数据。以下内容已经运行了很长时间:

public class WebClientEx : WebClient {
    public int Timeout {get; set;}
    protected override WebRequest GetWebRequest(Uri address) {
        var request = base.GetWebRequest(address);
        if (request != null)
            request.Timeout = Timeout;
        return request;
    }
}

using (var client = new WebClientEx()) {
    client.Proxy = new WebProxy(ProxyUrl) { Credentials = CredentialCache.DefaultCredentials };
    client.Timeout = 900000;
    var fields = new NameValueCollection { /* .... */ };
    byte[] respBytes = client.UploadValues(url, fields);
    /* .... */
}

但是,Web 服务的提供商最近更新了他们的 SSL 证书,现在我得到了这个:

基础连接已关闭:无法为 SSL/TLS 安全通道建立信任关系。

我可以禁用 SSL 验证以“使其工作”:

public class WebClientEx : WebClient {
    public int Timeout {get; set;}
    protected override WebRequest GetWebRequest(Uri address) {
        var request = base.GetWebRequest(address);
        if (request != null)
            request.Timeout = Timeout;
        if (SSLCheckDisabled) {
            try {
                //Change SSL checks so that all checks pass
                ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
            }
            catch {
            }
        }
        return request;
    }
}

但出于显而易见的原因,我不想这样做!

在 Windows 7 + IE9 上,证书很好,并且在 IE 中完全受信任。在使用 .NET Framework 4.0 WebClient 访问 Web 服务的 Windows 2003 服务器上,IE6 在安全警报中说:

安全证书由您未选择信任的公司颁发。查看证书以确定您是否要信任证书颁发机构。

链末端的证书,也就是“不可信”,是:

颁发给:DigiCert High Assurance EV Root CA

颁发者:DigiCert High Assurance EV Root CA

此故障排除页面顶部显示“此路径中的根证书名为 DigiCert High-Assurance EV Root CA,并且已被所有现代浏览器信任。 ”。当我测试它们时,所有在线 SSL 检查器都会通过域。

所以我的问题是 - 我怎样才能让我的 WebClient 表现得更像 IE9 而不是 IE6,并信任这个交叉签名的 SSL 证书?

4

1 回答 1

1

If your computer trusts the Root CA, then you trust certificates issued by that CA. You need to add the Digicert Root CA certificate to the computer's Trusted Root CA group. This can be done using the Certificates MMC snap-in for the computer account.

To Export the Root CA Certificate

  1. View the site's certificate from the browser.
  2. On the Certification Path tab, select the Root CA cert (at the top of the chain).
  3. Click the View Certificate button
  4. On the Details tab of the Root CA cert click Copy to File. (DER encoded .CER is fine).

To trust the Root CA

  1. Open the Certificates MMC snap-in for the Computer (start > mmc > Add snap-in > certificates)
  2. Navigate to the "Trusted Root Certification Authorities" folder
  3. Right-click on the Certificates folder, choose All Tasks > Import.
  4. Browse to the .cer file and follow the wizard.
于 2013-10-15T09:39:21.773 回答