我有一个简单的web服务调用,由。net (c#) 2.0 Windows应用程序生成,通过Visual Studio生成的web服务代理,用于同样用c#(2.0)编写的web服务。这种方法已经有效了好几年,并且在十几个正在运行的地方继续有效。
在新地点的新安装遇到了问题。当试图调用web服务时,它失败了,消息说:
无法为SSL/TLS安全建立信任关系 通道
web服务的URL使用SSL (https://)——但这已经在许多其他位置工作了很长时间(并继续这样做)。
我该往哪里看?这可能是Windows和。net之间的安全问题,是此安装独有的吗?如果是,我在哪里建立信任关系?我迷路了!
当前回答
想法(基于过去的痛苦):
do you have DNS and line-of-sight to the server? are you using the correct name from the certificate? is the certificate still valid? is a badly configured load balancer messing things up? does the new server machine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP? is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL? related to the above - has the certificate been installed to the correct location? (you may need a copy in Trusted Root Certification Authorities) is the server's machine-level proxy set correctly? (which different to the user's proxy); see proxycfg for XP / 2003 (not sure about Vista etc)
其他回答
想法(基于过去的痛苦):
do you have DNS and line-of-sight to the server? are you using the correct name from the certificate? is the certificate still valid? is a badly configured load balancer messing things up? does the new server machine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP? is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL? related to the above - has the certificate been installed to the correct location? (you may need a copy in Trusted Root Certification Authorities) is the server's machine-level proxy set correctly? (which different to the user's proxy); see proxycfg for XP / 2003 (not sure about Vista etc)
我个人最喜欢以下解决方案:
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
... 然后在请求获取错误之前,执行以下操作
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; };
这是在咨询卢克的解决方案后发现的
我在Internet Explorer的. net应用程序中遇到了类似的问题。
我解决了将证书(在我的例子中是VeriSign Class 3证书)添加到受信任编辑器证书的问题。
Go to Internet Options-> Content -> Publishers and import it
您可以通过以下方式导出证书:
Internet Options-> Content -> Certificates -> Intermediate Certification Authorities -> VeriSign Class 3 Public Primary Certification Authority - G5
谢谢
试试这个:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
请注意,您必须至少使用4.5 .NET框架
如果您不想盲目地信任所有人,只对某些主机设置信任例外,那么下面的解决方案更合适。
public static class Ssl
{
private static readonly string[] TrustedHosts = new[] {
"host1.domain.com",
"host2.domain.com"
};
public static void EnableTrustedHosts()
{
ServicePointManager.ServerCertificateValidationCallback =
(sender, certificate, chain, errors) =>
{
if (errors == SslPolicyErrors.None)
{
return true;
}
var request = sender as HttpWebRequest;
if (request != null)
{
return TrustedHosts.Contains(request.RequestUri.Host);
}
return false;
};
}
}
那就打电话给Ssl。当你的应用启动时启用托管主机。
