.Net Programming: What to validate on an SSL self-

2019-03-29 10:03发布

站内问答 / 前端开发
1102 3 6

I cannot get the users to create real certs for their servers but I'd like to do some security checks. So the following is too light because, as I read it, there is no checking on the certs.

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

What do you recommend that I have the clients check on the x509 cert? Given that I'm using a .NET language (c#/f#).

3条回答
仙女界的扛把子
2楼-- · 2019-03-29 10:41

If you're using self signed certs then the only errors you should expect is a chain error on the root (Cert. Issuer). I would suggest something like this that traps for that chain error specifically and lets all other errors fall through.

ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(
    ValidateRemoteCertificate
);

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors )
{
    string trustedIssuer = "CN=www.domain.com";
    string trustedDomain = "CN=www.domain.com";
    bool policyErr = false;

    switch (policyErrors)
    {
        case SslPolicyErrors.None:
            policyErr |= false;
            break;
        case SslPolicyErrors.RemoteCertificateChainErrors:
            bool chainErr = false;
            foreach (X509ChainStatus status in chain.ChainStatus)
            {
                switch (status.Status)
                {
                    case X509ChainStatusFlags.NoError:
                        chainErr |= false;
                        break;
                    case X509ChainStatusFlags.UntrustedRoot:
                        if (certificate.Subject != trustedDomain || certificate.Issuer != trustedIssuer)
                            chainErr |= true;
                        else
                            chainErr |= false;
                        break;
                    default:
                        chainErr |= true;
                        break;
                }                    
            }
            policyErr |= chainErr;
            break;
        default:
            policyErr |= true;
            break;
    }

    return !policyErr;
}
查看更多
0人赞 添加讨论(0) 举报
够拽才男人
3楼-- · 2019-03-29 10:54

if you can check certs you could put your own validation logic in the function ValidateRemoteCertificate

System.Net.ServicePointManager.ServerCertificateValidationCallback += (a, b, c, d) =>
{
     return ValidateRemoteCertificate(a, b, c, d);
};

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate,
            X509Chain chain, SslPolicyErrors policyErrors)
{
            if (certificate.Subject.Equals("CN=www.domain.com"))
                return true;
            else
               return policyErrors == SslPolicyErrors.None; 

}
查看更多
0人赞 添加讨论(0) 举报
我想做一个坏孩纸
4楼-- · 2019-03-29 11:02

If you can't get the clients to create real certs you should at least try to get them to create certs using your server. Then you can check that the certificate is valid or at least from your CA because you'll know if your CA has been compromised. If you're trusting any and all CAs there's really nothing worth checking.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)