从.NET到APN的SSL/TLS握手 - 远程证书无效

Question

我正在使用.NET从.NET Framework连接到Apple推送通知服务(APN).我正在使用.作为初始握手的一部分,它在网络流上执行.这是代码:SslStreamBinary Provider APISslStreamAuthenticateAsClient

_sslStream = new SslStream(_tcpClient.GetStream());
_sslStream.AuthenticateAsClient(_url,
    new X509CertificateCollection { _certificate },
    SslProtocols.Tls,
    true);

哪里_url是APN的主机名和_certificate应用程序的推送证书.在大多数计算机(运行Windows Server版本)上,这是可以接受的,并且可以继续进行通信.但是,在某些机器上,这将失败.这是确切的错误:

The remote certificate is invalid according to the validation procedure.

代码在本地系统特权下以Windows服务运行.当完全相同的代码作为本地用户下的命令行应用程序运行时,接受握手并继续通信.在Local System using 下运行相同的命令行应用程序会导致相同的错误.我已经检查过本地计算机和当前用户之间的证书存储区域是否存在差异,但没有.pexec -i -s

还测试了"解决方法".在这种改变的形式中,前面显示的代码适用于完全忽略证书.这完全符合您的期望; 不检查收到的证书,可以继续通信.这是看起来像:

_sslStream = new SslStream(_tcpClient.GetStream(), false, (sender, certificate, chain, errors) => true);
_sslStream.AuthenticateAsClient(_url,
    new X509CertificateCollection { _certificate },
    SslProtocols.Tls,
    false);

当然,禁用安全性是一个坏主意.什么可能导致握手破裂？!

Answer 1

这里的挑战是找出哪些要求没有得到满足。您可以使用这个： https: //github.com/rodneyviana/blogdemos/blob/master/TestServerCertificate.zip

• 将其解压到任何地方。确保应用程序已解除阻止（右键单击属性并选中解除阻止（如果存在））
• 以管理员身份打开命令提示符
• 运行此命令以进入系统用户上下文：c:\sysinternals\PsExec -i -s cmd.exe
• 在新的提示窗口中，移至提取工具的文件夹
• 使用以下语法运行：TestServerCertificate [主机] [端口]
• 这会将日志文件和证书链中的证书保存到临时文件夹中。

请参阅下面的示例：

c:\tools>whoami
nt authority\system

c:\tools>TestServerCertificate.exe www.microsoft.com 443
Verify Certificate Details
==========================


Writing logs to C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log

c:\tools>notepad C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log

这是上面命令的实际日志（当然没有错误）：

Getting certificate from www.microsoft.com 443
TLS Protocol: Tls12
Strength 256

Certificate at www.microsoft.com

Thumbprint: 8FBE50987D59F8C023492162238250C2ED18176A
Subject: CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Friendly Name: 
Issuer name: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Valid until: 1/16/2020 3:24:02 PM
Certificate is valid: True
Number of extensions: 10

Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\certificate_8FBE50987D59F8C023492162238250C2ED18176A.cer

WARNING: Certificate was not found in any location store

Chain Information
=================
Chain revocation flag: ExcludeRoot
Chain revocation mode: Online
Chain verification flag: NoFlag
Chain verification time: 8/11/2018 1:57:30 AM
Chain status length: 0
Chain application policy count: 0
Chain certificate policy count: 0 

Chain Element Information
Number of chain elements: 3


Intermediate Certificate
==============================================

Element thumbprint: 8A38755D0996823FE8FA3116A277CE446EAC4E99
Element subject: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Friendly Name: 
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/20/2024 7:52:38 AM
Element certificate is valid: True
Element error status length: 0
Element information: 
Number of element extensions: 8

Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\Intermediate_8A38755D0996823FE8FA3116A277CE446EAC4E99.cer
Information: Certificate was found installed in store(s) -  CurrentUser\CA

ROOT Certificate
==============================================

Element thumbprint: D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Element subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Friendly Name: DigiCert Baltimore Root
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/12/2025 6:59:00 PM
Element certificate is valid: True
Element error status length: 0
Element information: 
Number of element extensions: 3

Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\ROOT_D4DE20D05E66FC53FE1A50882C78DB2852CAE474.cer
Information: Certificate was found installed in store(s) -  CurrentUser\AuthRoot LocalMachine\AuthRoot CurrentUser\Root LocalMachine\Root
============= End of Report =============

如果日志中没有明确问题，可以贴在这里进行分析。

• 这需要 .NET 4.5 或更高版本。如果您没有它，请将 System.Net 跟踪添加到您的配置文件并重现问题，然后将文件发布到此处进行分析：https ://learn.microsoft.com/en-us/dotnet/framework/network-programming /如何配置网络跟踪