我正在尝试通过 HttpClient 类执行 HTTPS 获取请求。但是,由于提供的证书不受信任,因此在尝试执行请求时会引发异常。
我可以访问 SSL 私钥,问题是如何将私钥安装到应用程序中,以便它可以从网站解密公钥?
HttpClient httpClient = new HttpClient();
httpClient.BaseAddress = new Uri("https://siteUsingSSL.com/");
var response = await httpClient.GetAsync("swagger/index.html");
Console.WriteLine(response.StatusCode);
要进行自定义 TLS/SSL 证书验证,请使用ServicePointManager.ServerCertificateValidationCallback回调。在回调中,您可以根据您喜欢的任何逻辑返回 true 或 false。
我可以访问 SSL 私钥,问题是如何将私钥安装到应用程序中,以便它可以从网站解密公钥?
Absolutely No. The private key must never ever leave the site. Besides, there is nothing to decrypt in the certificate. The certificate is signed using the private key and the validation of the signature requires the public key, which is embedded in the certificate. The certificate you receive for sure will be valid, because otherwise the whole SSL/TLS handshake would fail.
What you need to decide is whether you trust the certificate you received.
A naive solution is to hardcode a certificate property in your code (say, the thumbprint) and then validate the received certificate's thumbprint. However, such a validation will prove to be bad as soon as you need to change the site certificate.
另一个天真的解决方案是验证证书颁发机构,但随后任何人都可以创建自签名证书并伪造您期望的颁发机构。
到目前为止,最好的解决方案是为您的站点使用受信任的证书。自从letsencrypt.org可用以来,真的没有理由不在您的网站上拥有受信任的证书。