C# 即使 ServerCertificateValidationCallback 返回 true,也会出现“无法为具有授权的 SSL/TLS 建立安全通道”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10988005/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true
提问by laindir
I'm working with a vendor who has set up a WCF service (WebHttpBinding) using Transport security with Certificate authentication. I host a similar service for the vendor which is working correctly, so I have a basic idea how this is supposed to work.
我正在与使用具有证书身份验证的传输安全性设置 WCF 服务 (WebHttpBinding) 的供应商合作。我为正常工作的供应商托管了一个类似的服务,所以我有一个基本的想法,它应该如何工作。
Running on Windows 7, when I consume the service under my own account, everything works fine, and I get a response back. When I consume it under a test account, I get an exception in mscorlib that it "Could not establish secure channel for SSL/TLS with authority X.X.X.X". If I add the test account to the built in Administrators group, it works fine.
在 Windows 7 上运行,当我使用自己的帐户使用该服务时,一切正常,并且我得到了回复。当我在测试帐户下使用它时,我在 mscorlib 中得到一个异常,它“无法为具有 XXXX 权限的 SSL/TLS 建立安全通道”。如果我将测试帐户添加到内置管理员组,它工作正常。
The certificate for the server is self-signed with the subject field set as CN=X.X.X.X, and I have the server cert in the Personal store and the CA cert in the Trusted Root Certificate Authorities store.
服务器的证书是自签名的,主题字段设置为 CN=XXXX,我在个人存储中拥有服务器证书,在受信任的根证书颁发机构存储中拥有 CA 证书。
Additionally, if I try setting the System.Net.ServicePointManager.ServerCertificateValidationCallback to print a diagnostic and return true, I get some interesting behavior. Running under my account, the callback is called twice, and then the WCF call succeeds. Running under the test account, it is called once, returns, and then I get the exception above.
此外,如果我尝试设置 System.Net.ServicePointManager.ServerCertificateValidationCallback 以打印诊断信息并返回 true,我会得到一些有趣的行为。在我的账户下运行,回调被调用两次,然后WCF调用成功。在test账户下运行,调用一次,返回,然后就得到了上面的异常。
My best guess is that this is related to some privilege the test account lacks, but I don't understand how Windows handles certificates well enough to know for sure, and I don't know where to start looking.
我最好的猜测是,这与测试帐户缺乏的某些特权有关,但我不明白 Windows 如何很好地处理证书以确保知道,而且我不知道从哪里开始寻找。
采纳答案by laindir
Took a couple hours on the phone with a Microsoft engineer, but the problem is solved. Since this is the exact same error message you see with some server certificate problems, I assumed that must be the issue. As it turned out, the test account did not have access to the client certificate private key. This should be resolvable using winhttpcertcfg (like in winhttpcertcfg giving access to iiS user in Windows 7)
与微软工程师通了几个小时的电话,但问题解决了。由于这与您在某些服务器证书问题中看到的错误消息完全相同,因此我认为这一定是问题所在。事实证明,测试帐户无权访问客户端证书私钥。这应该可以使用 winhttpcertcfg 解决(就像在winhttpcertcfg 中允许访问 Windows 7中的iiS 用户)
回答by Chris
This is the root of the problem: ... I have the server cert in the Personal store and the CA cert in the Trusted Root Certificate Authorities store.
这是问题的根源:...我在个人存储中拥有服务器证书,在受信任的根证书颁发机构存储中拥有 CA 证书。
If you install the server cert under the test account's personal store it should resolve it, i think the command for cmd prompt should be something like
如果您在测试帐户的个人存储下安装服务器证书,它应该可以解决它,我认为 cmd 提示符的命令应该类似于
winhttpcertcfg.exe -g -c LOCALMACHINE\MY -s "certtype" "testuseraccountname"
winhttpcertcfg.exe -g -c LOCALMACHINE\MY -s "certtype" "testuseraccountname"
or use the mmc snap in. (i'm not too sure how reliable this is though, I use the above tool)
或使用 mmc snap in。(我不太确定这有多可靠,我使用上述工具)
