【发布时间】:2021-09-16 08:56:07
【问题描述】:
我在 SAP 的 docker 容器内使用带有 C# ASP.NET Core 3.1 服务的 OData 服务和客户自签名证书。
在此期间我已经尝试了一千种方法,但错误仍然存在。
System.InvalidOperationException:处理时发生错误 这个请求。 mdt2oowvsap_1 | ---> System.Data.Services.Client.DataServiceTransportException:SSL 无法建立连接,请参阅内部异常。遥控器 根据验证程序,证书无效。
即使像使用直接返回 true 的 HttpClientHandler.ServerCertificateCustomValidationCallback 这样的不安全解决方案也没有改变任何东西。
public MyService()
{
:
handler = new HttpClientHandler()
{
Credentials = new NetworkCredential(Username, Password, Domain),
PreAuthenticate = true,
ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
logger.LogDebug($"No SSL policy errors!");
return true; //Is valid
}
logger.LogDebug($"Get certificate hash: {cert.GetCertHashString()}");
// From: https://stackoverflow.com/questions/2675133/c-sharp-ignore-certificate-errors
if (!String.IsNullOrEmpty(certificateHash) && cert.GetCertHashString().Equals(certificateHash))
{
// Get hash string via: openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
// see: https://stackoverflow.com/questions/5164804/get-certificate-fingerprint-of-https-server-from-command-line
logger.LogDebug($"Using certificate hash: {certificateHash}");
return true;
}
return false;
},
UseCookies = true,
CookieContainer = cookieContainer
};
String[] files = Directory.GetFiles("./certs/", "*.*", SearchOption.TopDirectoryOnly);
logger.LogInformation($"Found {files.Length} certificate files");
// see: https://stackoverflow.com/questions/40014047/add-client-certificate-to-net-core-httpclient
foreach (string cfile in files)
{
try
{
logger.LogDebug($"Try adding {cfile} as trusted client certificate...");
handler.ClientCertificates.Add(new X509Certificate2(Path.GetFullPath(cfile)));
}catch(Exception e)
{
logger.LogInformation($"Exception while adding certificate file {cfile} to 'ClientCertificates'");
logger.LogError(e.ToString());
}
}
httpClient = new HttpClient(handler);
:
}
最后一次尝试是下载证书并使用 ClientCertificates.Add 将其提供给 HttpClientHandler。没有成功。
使用 curl,传递此证书文件有效。
$> curl --location --request GET 'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
:
$> echo -n | openssl s_client -connect customer.de:1234 -servername customer.de | \
openssl x509 > /full/path/to/customer.cert
depth=0 CN = customer.de
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = customer.de
verify return:1
DONE
$>
$> curl --location --cacert '/full/path/to/customer.cert' --request GET \
'https://customer.de:1234/sap/opu/odata/something/useful_srv' \
--header 'Authorization: Basic ABCDEFGHIJKLMNOPQRST='
<?xml version="1.0" encoding="utf-8"?><app:service xml:lang="de" xml:base="https:blablabla.../></app:service>
$> _
有人有其他想法吗?
查看的解决方案(不完整):
- c-sharp-ignore-certificate-errors
- add-client-certificate-to-net-core-httpclient
- allowing-untrusted-ssl-certificates-with-httpclient
- how-do-i-add-a-ca-root-certificate-inside-a-docker-image
- the-ssl-connection-could-not-be-established
- c-sharp-core-3-1-getting-error-message-the-ssl-connection-could-not-be-establ
- the-ssl-connection-could-not-be-established-between-webapp-and-webapi-asp-core
- how-to-fix-the-ssl-connection-could-not-be-established-see-inner-exception-w
提前致谢。
【问题讨论】:
-
可能服务器需要 TLS 1.3,但您运行 C# 代码的操作系统不支持 TLS 1.3。
标签: c# asp.net-core ssl httpclient