绕过 .net 核心中的无效 SSL 证书
bypass invalid SSL certificate in .net core
我正在做一个需要连接到 https 站点的项目。每次连接时,我的代码都会抛出异常,因为该站点的证书来自不受信任的站点。有没有办法绕过 .net core http 中的证书检查?
我在以前的 .NET 版本中看到了这段代码。我想我只需要这样的东西。
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
ServicePointManager.ServerCertificateValidationCallback 在 .Net Core 中不受支持。
目前的情况是
即将推出的 4.1.* System.Net.Http 合同 (HttpClient) 的新 ServerCertificateCustomValidationCallback 方法。 .NET Core 团队现在正在敲定 4.1 合同。您可以在 here on github
中阅读相关内容
您可以直接在 CoreFx 或 MYGET 提要中使用源来试用 System.Net.Http 4.1 的预发布版本:
https://dotnet.myget.org/gallery/dotnet-core
Github
上的当前 WinHttpHandler.ServerCertificateCustomValidationCallback 定义
来这里寻找相同问题的答案,但我使用的是 WCF for NET Core。如果您在同一条船上,请使用:
client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication =
new X509ServiceCertificateAuthentication()
{
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck
};
更新:
如下所述,并非所有实现都支持此回调(即像 iOS 这样的平台)。在这种情况下,正如 docs 所说,您可以显式设置验证器:
handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
这也适用于 .NET Core 2.2、3.0 和 3.1
旧答案,控制更多但可能会抛出 PlatformNotSupportedException:
您可以像这样使用匿名回调函数覆盖对 HTTP 调用的 SSL 证书检查
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
using (var client = new HttpClient(httpClientHandler))
{
// Make your request...
}
}
此外,我建议为 HttpClient 使用工厂模式,因为它是一个可能不会立即释放的共享对象,因此 connections will stay open。
在 .NET Core 2.2 和 Docker Linux 容器上使用自签名证书和客户端证书身份验证时,我遇到了同样的问题。在我的开发 Windows 机器上一切正常,但在 Docker 中我得到这样的错误:
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure
幸运的是,证书是使用链生成的。
当然,你也可以忽略这个方案,直接使用上面的方案。
所以这是我的解决方案:
我使用 Chrome 在我的计算机上以 P7B 格式保存了证书。
使用此命令将证书转换为 PEM 格式:
openssl pkcs7 -inform DER -outform PEM -in <cert>.p7b -print_certs > ca_bundle.crt
打开ca_bundle.crt文件并删除所有主题记录,留下一个干净的文件。下面的示例:
-----BEGIN CERTIFICATE-----
_BASE64 DATA_
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
_BASE64 DATA_
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
_BASE64 DATA_
-----END CERTIFICATE-----
- 将这些行放入 Docker 文件(在最后的步骤中):
# Update system and install curl and ca-certificates
RUN apt-get update && apt-get install -y curl && apt-get install -y ca-certificates
# Copy your bundle file to the system trusted storage
COPY ./ca_bundle.crt /usr/local/share/ca-certificates/ca_bundle.crt
# During docker build, after this line you will get such output: 1 added, 0 removed; done.
RUN update-ca-certificates
- 在应用程序中:
var address = new EndpointAddress("https://serviceUrl");
var binding = new BasicHttpsBinding
{
CloseTimeout = new TimeSpan(0, 1, 0),
OpenTimeout = new TimeSpan(0, 1, 0),
ReceiveTimeout = new TimeSpan(0, 1, 0),
SendTimeout = new TimeSpan(0, 1, 0),
MaxBufferPoolSize = 524288,
MaxBufferSize = 65536,
MaxReceivedMessageSize = 65536,
TextEncoding = Encoding.UTF8,
TransferMode = TransferMode.Buffered,
UseDefaultWebProxy = true,
AllowCookies = false,
BypassProxyOnLocal = false,
ReaderQuotas = XmlDictionaryReaderQuotas.Max,
Security =
{
Mode = BasicHttpsSecurityMode.Transport,
Transport = new HttpTransportSecurity
{
ClientCredentialType = HttpClientCredentialType.Certificate,
ProxyCredentialType = HttpProxyCredentialType.None
}
}
};
var client = new MyWSClient(binding, address);
client.ClientCredentials.ClientCertificate.Certificate = GetClientCertificate("clientCert.pfx", "passwordForClientCert");
// Client certs must be installed
client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication
{
CertificateValidationMode = X509CertificateValidationMode.ChainTrust,
TrustedStoreLocation = StoreLocation.LocalMachine,
RevocationMode = X509RevocationMode.NoCheck
};
GetClientCertificate 方法:
private static X509Certificate2 GetClientCertificate(string clientCertName, string password)
{
//Create X509Certificate2 object from .pfx file
byte[] rawData = null;
using (var f = new FileStream(Path.Combine(AppContext.BaseDirectory, clientCertName), FileMode.Open, FileAccess.Read))
{
var size = (int)f.Length;
var rawData = new byte[size];
f.Read(rawData, 0, size);
f.Close();
}
return new X509Certificate2(rawData, password);
}
在 .NetCore 中,您可以在服务配置方法中添加以下代码片段,我添加了一个检查以确保我们只在开发环境中绕过 SSL 证书
services.AddHttpClient("HttpClientName", client => {
// code to configure headers etc..
}).ConfigurePrimaryHttpMessageHandler(() => {
var handler = new HttpClientHandler();
if (hostingEnvironment.IsDevelopment())
{
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
}
return handler;
});
我用这个解决:
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddHttpClient("HttpClientWithSSLUntrusted").ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
ServerCertificateCustomValidationCallback =
(httpRequestMessage, cert, cetChain, policyErrors) =>
{
return true;
}
});
YourService.cs
public UserService(IHttpClientFactory clientFactory, IOptions<AppSettings> appSettings)
{
_appSettings = appSettings.Value;
_clientFactory = clientFactory;
}
var request = new HttpRequestMessage(...
var client = _clientFactory.CreateClient("HttpClientWithSSLUntrusted");
HttpResponseMessage response = await client.SendAsync(request);
首先,不要在生产中使用它
如果您正在使用 AddHttpClient 中间件,这将很有用。
我认为这是开发目的而不是生产所需要的。在创建有效证书之前,您可以使用此 Func。
Func<HttpMessageHandler> configureHandler = () =>
{
var bypassCertValidation = Configuration.GetValue<bool>("BypassRemoteCertificateValidation");
var handler = new HttpClientHandler();
//!DO NOT DO IT IN PRODUCTION!! GO AND CREATE VALID CERTIFICATE!
if (bypassCertValidation)
{
handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, x509Certificate2, x509Chain, sslPolicyErrors) =>
{
return true;
};
}
return handler;
};
并像
一样应用它
services.AddHttpClient<IMyClient, MyClient>(x => { x.BaseAddress = new Uri("https://localhost:5005"); })
.ConfigurePrimaryHttpMessageHandler(configureHandler);
允许所有证书非常强大,但也可能很危险。如果您只想允许有效证书加上某些特定证书,可以这样做。
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) => {
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true; //Is valid
}
if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
{
return true;
}
return false;
};
using (var httpClient = new HttpClient(httpClientHandler))
{
var httpResponse = httpClient.GetAsync("https://example.com").Result;
}
}
原始出处:
对于 .NET 6,您可以像这样配置您的主要 Http 消息处理程序:
services.AddHttpClient<ITodoListService, TodoListService>()
.ConfigurePrimaryHttpMessageHandler(() => {
var handler = new HttpClientHandler();
if (currentEnvironment.IsDevelopment()) {
handler.ServerCertificateCustomValidationCallback =
HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
}
return handler;
});
我正在做一个需要连接到 https 站点的项目。每次连接时,我的代码都会抛出异常,因为该站点的证书来自不受信任的站点。有没有办法绕过 .net core http 中的证书检查?
我在以前的 .NET 版本中看到了这段代码。我想我只需要这样的东西。
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
ServicePointManager.ServerCertificateValidationCallback 在 .Net Core 中不受支持。
目前的情况是 即将推出的 4.1.* System.Net.Http 合同 (HttpClient) 的新 ServerCertificateCustomValidationCallback 方法。 .NET Core 团队现在正在敲定 4.1 合同。您可以在 here on github
中阅读相关内容您可以直接在 CoreFx 或 MYGET 提要中使用源来试用 System.Net.Http 4.1 的预发布版本: https://dotnet.myget.org/gallery/dotnet-core
Github
上的当前 WinHttpHandler.ServerCertificateCustomValidationCallback 定义来这里寻找相同问题的答案,但我使用的是 WCF for NET Core。如果您在同一条船上,请使用:
client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication =
new X509ServiceCertificateAuthentication()
{
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck
};
更新:
如下所述,并非所有实现都支持此回调(即像 iOS 这样的平台)。在这种情况下,正如 docs 所说,您可以显式设置验证器:
handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
这也适用于 .NET Core 2.2、3.0 和 3.1
旧答案,控制更多但可能会抛出 PlatformNotSupportedException:
您可以像这样使用匿名回调函数覆盖对 HTTP 调用的 SSL 证书检查
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
using (var client = new HttpClient(httpClientHandler))
{
// Make your request...
}
}
此外,我建议为 HttpClient 使用工厂模式,因为它是一个可能不会立即释放的共享对象,因此 connections will stay open。
在 .NET Core 2.2 和 Docker Linux 容器上使用自签名证书和客户端证书身份验证时,我遇到了同样的问题。在我的开发 Windows 机器上一切正常,但在 Docker 中我得到这样的错误:
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure
幸运的是,证书是使用链生成的。 当然,你也可以忽略这个方案,直接使用上面的方案。
所以这是我的解决方案:
我使用 Chrome 在我的计算机上以 P7B 格式保存了证书。
使用此命令将证书转换为 PEM 格式:
openssl pkcs7 -inform DER -outform PEM -in <cert>.p7b -print_certs > ca_bundle.crt打开ca_bundle.crt文件并删除所有主题记录,留下一个干净的文件。下面的示例:
-----BEGIN CERTIFICATE-----
_BASE64 DATA_
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
_BASE64 DATA_
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
_BASE64 DATA_
-----END CERTIFICATE-----
- 将这些行放入 Docker 文件(在最后的步骤中):
# Update system and install curl and ca-certificates
RUN apt-get update && apt-get install -y curl && apt-get install -y ca-certificates
# Copy your bundle file to the system trusted storage
COPY ./ca_bundle.crt /usr/local/share/ca-certificates/ca_bundle.crt
# During docker build, after this line you will get such output: 1 added, 0 removed; done.
RUN update-ca-certificates
- 在应用程序中:
var address = new EndpointAddress("https://serviceUrl");
var binding = new BasicHttpsBinding
{
CloseTimeout = new TimeSpan(0, 1, 0),
OpenTimeout = new TimeSpan(0, 1, 0),
ReceiveTimeout = new TimeSpan(0, 1, 0),
SendTimeout = new TimeSpan(0, 1, 0),
MaxBufferPoolSize = 524288,
MaxBufferSize = 65536,
MaxReceivedMessageSize = 65536,
TextEncoding = Encoding.UTF8,
TransferMode = TransferMode.Buffered,
UseDefaultWebProxy = true,
AllowCookies = false,
BypassProxyOnLocal = false,
ReaderQuotas = XmlDictionaryReaderQuotas.Max,
Security =
{
Mode = BasicHttpsSecurityMode.Transport,
Transport = new HttpTransportSecurity
{
ClientCredentialType = HttpClientCredentialType.Certificate,
ProxyCredentialType = HttpProxyCredentialType.None
}
}
};
var client = new MyWSClient(binding, address);
client.ClientCredentials.ClientCertificate.Certificate = GetClientCertificate("clientCert.pfx", "passwordForClientCert");
// Client certs must be installed
client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication
{
CertificateValidationMode = X509CertificateValidationMode.ChainTrust,
TrustedStoreLocation = StoreLocation.LocalMachine,
RevocationMode = X509RevocationMode.NoCheck
};
GetClientCertificate 方法:
private static X509Certificate2 GetClientCertificate(string clientCertName, string password)
{
//Create X509Certificate2 object from .pfx file
byte[] rawData = null;
using (var f = new FileStream(Path.Combine(AppContext.BaseDirectory, clientCertName), FileMode.Open, FileAccess.Read))
{
var size = (int)f.Length;
var rawData = new byte[size];
f.Read(rawData, 0, size);
f.Close();
}
return new X509Certificate2(rawData, password);
}
在 .NetCore 中,您可以在服务配置方法中添加以下代码片段,我添加了一个检查以确保我们只在开发环境中绕过 SSL 证书
services.AddHttpClient("HttpClientName", client => {
// code to configure headers etc..
}).ConfigurePrimaryHttpMessageHandler(() => {
var handler = new HttpClientHandler();
if (hostingEnvironment.IsDevelopment())
{
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
}
return handler;
});
我用这个解决:
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddHttpClient("HttpClientWithSSLUntrusted").ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
ServerCertificateCustomValidationCallback =
(httpRequestMessage, cert, cetChain, policyErrors) =>
{
return true;
}
});
YourService.cs
public UserService(IHttpClientFactory clientFactory, IOptions<AppSettings> appSettings)
{
_appSettings = appSettings.Value;
_clientFactory = clientFactory;
}
var request = new HttpRequestMessage(...
var client = _clientFactory.CreateClient("HttpClientWithSSLUntrusted");
HttpResponseMessage response = await client.SendAsync(request);
首先,不要在生产中使用它
如果您正在使用 AddHttpClient 中间件,这将很有用。 我认为这是开发目的而不是生产所需要的。在创建有效证书之前,您可以使用此 Func。
Func<HttpMessageHandler> configureHandler = () =>
{
var bypassCertValidation = Configuration.GetValue<bool>("BypassRemoteCertificateValidation");
var handler = new HttpClientHandler();
//!DO NOT DO IT IN PRODUCTION!! GO AND CREATE VALID CERTIFICATE!
if (bypassCertValidation)
{
handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, x509Certificate2, x509Chain, sslPolicyErrors) =>
{
return true;
};
}
return handler;
};
并像
一样应用它services.AddHttpClient<IMyClient, MyClient>(x => { x.BaseAddress = new Uri("https://localhost:5005"); })
.ConfigurePrimaryHttpMessageHandler(configureHandler);
允许所有证书非常强大,但也可能很危险。如果您只想允许有效证书加上某些特定证书,可以这样做。
using (var httpClientHandler = new HttpClientHandler())
{
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) => {
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true; //Is valid
}
if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
{
return true;
}
return false;
};
using (var httpClient = new HttpClient(httpClientHandler))
{
var httpResponse = httpClient.GetAsync("https://example.com").Result;
}
}
原始出处:
对于 .NET 6,您可以像这样配置您的主要 Http 消息处理程序:
services.AddHttpClient<ITodoListService, TodoListService>()
.ConfigurePrimaryHttpMessageHandler(() => {
var handler = new HttpClientHandler();
if (currentEnvironment.IsDevelopment()) {
handler.ServerCertificateCustomValidationCallback =
HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
}
return handler;
});