我有一个简单的web服务调用,由。net (c#) 2.0 Windows应用程序生成,通过Visual Studio生成的web服务代理,用于同样用c#(2.0)编写的web服务。这种方法已经有效了好几年,并且在十几个正在运行的地方继续有效。
在新地点的新安装遇到了问题。当试图调用web服务时,它失败了,消息说:
无法为SSL/TLS安全建立信任关系 通道
web服务的URL使用SSL (https://)——但这已经在许多其他位置工作了很长时间(并继续这样做)。
我该往哪里看?这可能是Windows和。net之间的安全问题,是此安装独有的吗?如果是,我在哪里建立信任关系?我迷路了!
当前回答
想法(基于过去的痛苦):
do you have DNS and line-of-sight to the server? are you using the correct name from the certificate? is the certificate still valid? is a badly configured load balancer messing things up? does the new server machine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP? is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL? related to the above - has the certificate been installed to the correct location? (you may need a copy in Trusted Root Certification Authorities) is the server's machine-level proxy set correctly? (which different to the user's proxy); see proxycfg for XP / 2003 (not sure about Vista etc)
其他回答
我的解(VB。Net,这个应用程序的“登台”(UAT)版本需要与“登台”证书一起工作,但不影响请求一旦他们在现场):
...
Dim url As String = ConfigurationManager.AppSettings("APIURL") & "token"
If url.ToLower().Contains("staging") Then
System.Net.ServicePointManager.ServerCertificateValidationCallback = AddressOf AcceptAllCertifications
End If
...
Private Function AcceptAllCertifications(ByVal sender As Object, ByVal certification As System.Security.Cryptography.X509Certificates.X509Certificate, ByVal chain As System.Security.Cryptography.X509Certificates.X509Chain, ByVal sslPolicyErrors As System.Net.Security.SslPolicyErrors) As Boolean
Return True
End Function
对于那些通过VS客户端遇到这个问题的人,一旦成功添加了一个服务引用,并试图执行第一个调用,就会得到这个异常: "底层连接已关闭:无法为SSL/TLS安全通道建立信任关系" 如果你正在使用(就像我的例子)一个带有IP地址的端点URL并得到了这个异常,那么你可能需要重新添加服务引用,执行以下步骤:
在Internet Explorer上打开端点URL。 点击证书错误(地址栏中的红色图标) 单击查看证书。 获取颁发给:“name”并替换IP地址或任何我们正在使用的名称,并得到这个“name”的错误。
再试一次:)。 谢谢
我有这个错误运行在一个web服务器的url如下:
a.b.domain.com
但是没有证书,所以我找了一个DNS
a_b.domain.com
在这里提示一下这个解因为它在谷歌中出现在最上面。
我已经用了一段时间了如果有用的话。
调用方必须显式地请求需要不受信任的认证,并在完成时将回调放回默认状态。
/// <summary>
/// Helper method for returning the content of an external webpage
/// </summary>
/// <param name="url">URL to get</param>
/// <param name="allowUntrustedCertificates">Flags whether to trust untrusted or self-signed certificates</param>
/// <returns>HTML of the webpage</returns>
public static string HttpGet(string url, bool allowUntrustedCertificates = false) {
var oldCallback = ServicePointManager.ServerCertificateValidationCallback;
string webPage = "";
try {
WebRequest req = WebRequest.Create(url);
if (allowUntrustedCertificates) {
// so we can query self-signed certificates
ServicePointManager.ServerCertificateValidationCallback =
((sender, certification, chain, sslPolicyErrors) => true);
}
WebResponse resp = req.GetResponse();
using (StreamReader sr = new StreamReader(resp.GetResponseStream())) {
webPage = sr.ReadToEnd().Trim();
sr.Close();
}
return webPage;
}
catch {
// if the remote site fails to response (or we have no connection)
return null;
}
finally {
ServicePointManager.ServerCertificateValidationCallback = oldCallback;
}
}
我个人最喜欢以下解决方案:
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
... 然后在请求获取错误之前,执行以下操作
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; };
这是在咨询卢克的解决方案后发现的
