Owin Twitter登录 - 根据验证程序,远程证书无效

Question

我最近尝试使用twitter登录时遇到此错误 - 任何想法为什么？

Stack Trace: 


[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
   System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +230
   System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) +13
   System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +123

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
   System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +6432446
   System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +64

Answer 1

由于开源的强大功能,我们可以看到twitter证书的指纹已在Katana项目中编码.

Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions

最近一些证书必须已经更改,现在指纹不再匹配.

请为您的Startup.Auth.cs(对于MVC用户)的Twitter Auth选项添加"VeriSign Class 3 Public Primary Certification Authority - G5"证书的新拇指指纹.

从默认值更改:

app.UseTwitterAuthentication(
    consumerKey: "XXXX",
    consumerSecret: "XXX"
);

用这个:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server C?A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" //DigiCert High Assurance EV Root CA
    })
});

Answer 2

总结和保存人们挖掘评论,这里是最新的配置:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new Microsoft.Owin.Security.CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "?add53f6680fe66e383cbac3e60922e3b4c412bed", // Symantec Class 3 EV SSL CA - G3
        "4eb6d578499b1ccf5f581ead56be3d9b6744a5e5", // VeriSign Class 3 Primary CA - G5
        "5168FF90AF0207753CCCD9656462A212B859723B", // DigiCert SHA2 High Assurance Server C?A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" // DigiCert High Assurance EV Root CA
    })
});

所有学分归@MichaelLake和@KennethIto所有.

Answer 3

关掉小提琴手.

不知何故Fiddler网络调试器搞砸了Twitter的Oauth.

Answer 4

仅出于测试目的(!),也可以设置

options.BackchannelCertificateValidator = null;

并添加到您的Global.asax Application_Start:

ServicePointManager.ServerCertificateValidationCallback = delegate 
{ 
    return true; 
};