问题
I'm using an HttpWebRequest object to access a web service via an HTTP POST. Part of the requirement is that I:
- Verify that the URL in the certificate matches the URL I'm posting to
- Verify that the certificate is valid and trusted
- Verify that the certificate has not expired
Does HttpWebRequest automatically handle that for me? I'd assume that if any of these conditions came up, I'd get the standard "could not establish trust relationship for the SSL/TLS secure channel" exception.
回答1:
Yes, HttpWebRequest automatically handles these:
- Verify that the URL in the certificate matches the URL you're posting to
- Verify that the certificate is valid and trusted
- Verify that the certificate has not expired
You have to use code like this if you want to disable this functionality.
回答2:
Not really. You still have to check if a sslpolicyerror is returned using a callback function. Make sure to test your implementation against url like this https://rootkit.com/ which is using a self-singed cert.
void InitPhase()
{
// Override automatic validation of SSL server certificates.
ServicePointManager.ServerCertificateValidationCallback =
ValidateServerCertficate;
}
private static bool ValidateServerCertficate(
object sender,
X509Certificate cert,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Good certificate.
return true;
}
log.DebugFormat("SSL certificate error: {0}", sslPolicyErrors);
bool certMatch = false; // Assume failure
byte[] certHash = cert.GetCertHash();
if (certHash.Length == apiCertHash.Length)
{
certMatch = true; // Now assume success.
for (int idx = 0; idx < certHash.Length; idx++)
{
if (certHash[idx] != apiCertHash[idx])
{
certMatch = false; // No match
break;
}
}
}
// Return true => allow unauthenticated server,
// false => disallow unauthenticated server.
return certMatch;
}
来源:https://stackoverflow.com/questions/2768670/does-httpwebrequest-automatically-take-care-of-certificate-validation