使用 .Net 连接到 openssl 服务器

Question

我得到了一个正在侦听客户端连接的服务器应用程序。以下 openssl 命令确实连接...

openssl s_client -key provided.key -cert provided.crt -CAfile provided.pem -connect 127.0.0.1:59123

我有一个创建 TcpClient 并尝试对 SslStream 进行身份验证的 C# 应用程序。 BeginAuthenticateAsClient 需要证书。显然，提供的 .crt 文件还不够好，因为需要涉及提供的 .key 。我尝试使用 openssl 从 .crt 和 .key 文件创建一个 .pfx 文件，但这不起作用（文件已创建但服务器关闭了连接）。模仿 .net 中的 open ssl 命令并不太难，但我还没有在网上找到任何可以工作甚至接近我想要做的东西。有谁知道如何做到这一点，或者我应该使用不同的方法吗？ 附言第三方软件不是一个真正的选择。

Answer 1

openssl pkcs12 -export -out provided.pfx -inkey provided.key -in provided.crt

...

var coll = new X509Certificate2Collection();
var cert = new X509Certificate2("provided.pfx", "WhateverPasswordYouGaveIt");
coll.Add(cert);

// do TcpClient stuff
var sslStream = new SslStream(tcpClient.GetStream());
const SslProtocols allowedProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
sslStream.AuthenticateAsClient("127.0.0.1", coll, allowedProtocols, checkCertificateRevocation: true);

对于 -CAFile 等效项，您需要执行自定义回调并将 chain.ChainElements[chain.ChainElements.Length - 1].Certificate 中的证书与您期望的证书进行比较。

Answer 2

如前所述，这仅用于测试目的，因为验证服务器证书不应该只返回 true。

SslStream 测试类：

    public string TestingSSL(string sessionId)
    {
        TcpClient client = new TcpClient("name of the server", port);

        //Create certificate
        var collection = new X509Certificate2Collection();

        var certificate = new X509Certificate2("provided.pfx", "Passwordyouchoosewhencreatingthe.pfx", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
        collection.Add(certificate);

        const SslProtocols allowedProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
        // Create an SSL stream that will close the client's stream.
        SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificateTrue), null);

        // The server name must match the name on the server certificate.
        try
        {
            sslStream.AuthenticateAsClient("name of the server", collection, allowedProtocols, checkCertificateRevocation: true);
        }
        catch (AuthenticationException e)
        {
            if (e.InnerException != null)
            {
                return e.InnerException.ToString();
            }
        }

        // Read message from the server.
        string serverMessage = ServerResponseMessage(sslStream);

        byte[] sessionBill = Encoding.UTF8.GetBytes("sessions.bill\r\n");
        byte[] sessionBillId = Encoding.UTF8.GetBytes($",session_uuid,{sessionId}\r\n");

        // Send command to the server. 
        sslStream.Write(sessionBill, 0, sessionBill.Length);
        sslStream.Flush();
        sslStream.Write(sessionBillId, 0, sessionBillId.Length);
        sslStream.Flush();

        string sessionBillResponseMessage = ServerResponseMessage(sslStream);

        // Close the client connection.
        client.Close();

        return sessionBillResponseMessage;
    }


    public static bool ValidateServerCertificateTrue(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        return true;
    }


    static string ServerResponseMessage(SslStream sslStream)
    {     
        byte[] buffer = new byte[2048];
        StringBuilder messageData = new StringBuilder();

        int bytes = -1;

        bytes = sslStream.Read(buffer, 0, buffer.Length);
        // Use Decoder class to convert from bytes to UTF8
        // in case a character spans two buffers.
        Decoder decoder = Encoding.UTF8.GetDecoder();
        char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];

        decoder.GetChars(buffer, 0, bytes, chars, 0);
        messageData.Append(chars);     

        return messageData.ToString();
    }