禁用 AuthenticateAsServer 的证书验证似乎不起作用

Question

我正在开发一个更大的 C# 套接字应用程序，它将通过 SSL 使用服务器和客户端身份验证。为了在我的本地机器上测试应用程序的其他部分，我需要禁用认证验证。我已尝试按照其他一些地方的建议覆盖 ServerCertificateValidationNCallback，但我继续遇到异常。我正在使用使用 OpenSSL 创建的自签名证书进行测试。

我尝试过的解决方案的文章：

• Disabling certificate revocation checking for an application on Windows
• How to ignore the certificate check when ssl
• C# Ignore certificate errors?

我得到的异常：

StackTrace:    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

我已将服务器代码缩减为以下内容：

 ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
 X509Certificate2 cert = new X509Certificate2("server.pfx", "password");

 IPAddress ip = IPAddress.Parse("127.0.0.1");
 TcpListener server = new TcpListener(ip, 8000);
 server.Start();

 TcpClient client = server.AcceptTcpClient();
 Console.WriteLine(client.Client.RemoteEndPoint.ToString() + ":" + ((IPEndPoint)client.Client.RemoteEndPoint).Port + " connected");
 SslStream ssl = new SslStream(client.GetStream(), false);
 ssl.AuthenticateAsServer(cert, true, SslProtocols.Tls, false);

而客户端代码如下：

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
TcpClient client = new TcpClient("127.0.0.1", 8000);
X509Certificate2Collection coll = new X509Certificate2Collection();
coll.Add(new X509Certificate2("client.pfx", "password"));
byte[] data = Encoding.UTF8.GetBytes("Hello from the client!");

using (SslStream ssl = new SslStream(client.GetStream(), false))
{
  ssl.AuthenticateAsClient("127.0.0.1", coll, SslProtocols.Tls, false);
  ssl.Write(data, 0, data.Length);
  data = new Byte[8192];
  int bytes = 0;
  string resp = "";

  do
  {
    bytes = ssl.Read(data, 0, data.Length);
    if (bytes > 0) resp += System.Text.Encoding.ASCII.GetString(data, 0, bytes);
  }
  while (bytes > 0);

  Console.WriteLine("Response: " + resp);
}

client.Close();

异常发生在 AuthenticateAsServer 和 AuthenticateAsClient 上。应用程序的设计需要使用客户端证书。

我已尝试将 PFX 文件导入证书存储区，结果没有任何区别。

我还尝试使用 makecert 重新创建自签名证书和私钥，并使用 pvk2pfx.exe 转换为 PFX，结果没有任何区别。我的想法是，也许它们是在另一台机器上创建的。

Answer 1

显然这一行还不够：

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

我必须将我的 SslStream 从： （服务器）

SslStream ssl = new SslStream(client.GetStream(), false);

和（客户）

using (SslStream ssl = new SslStream(client.GetStream(), false))

到： （服务器）

SslStream ssl = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateCert));

和（客户）

using (SslStream ssl = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateCert)))

并添加以下方法：

public static bool ValidateCert(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    return true; // Allow untrusted certificates.
}

显然这优先于：ServicePointManager.ServerCertificateValidationCallback 委托。

显然，我现在需要弄清楚如何修改 ValidateCert 以选择性地允许不受信任的证书。