问题
How does one pin a certificate when using s SqlConnection? From SqlConnection Connection String Parameter Keywords & Values, I know I can set Encrypted to true to force (encourage?) use of SSL/TLS.
However, to pin a certificate, I believe we need to use ServerCertificateValidationCallback from ServicePointManager (sample code below was offered by Arne Vajhøj for HTTP/HTTPS). I'm not clear how to wire in PinCertificate (from ServicePointManager) to SqlConnection.
UPDATE: Talking with Arne Vajhøj on microsoft.public.dotnet.languages.csharp, it appears its not possible to have the desired control over the connection. Vajhøj offered a link to Encrypting Connections to SQL Server.
public static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback = PinCertificate;
WebRequest wr = WebRequest.Create("https://www.google.com/");
wr.GetResponse();
}
public static bool PinCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
byte[] chash = certificate.GetCertHash();
StringBuilder sb = new StringBuilder(chash.Length * 2);
foreach (byte b in chash)
sb.AppendFormat("{0:X2}", b);
// Verify against known SHA1 thumb print of the certificate
String hash = sb.ToString();
if (hash != "C1956DC8A7DFB2A5A56934DA09778E3A11023358")
return false;
return true;
}
回答1:
how about something like:
System.Net.ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf ValidateCertificate)
Private Function ValidateCertificate(ByVal sender As Object, ByVal certificate As X509Certificate, ByVal chain As X509Chain, ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
'Return True to force the certificate to be accepted.
Return True
End Function
来源:https://stackoverflow.com/questions/8691955/net-sqlconnection-server-authentication-and-certificate-pinning