我有一个简单的web服务调用,由。net (c#) 2.0 Windows应用程序生成,通过Visual Studio生成的web服务代理,用于同样用c#(2.0)编写的web服务。这种方法已经有效了好几年,并且在十几个正在运行的地方继续有效。
在新地点的新安装遇到了问题。当试图调用web服务时,它失败了,消息说:
无法为SSL/TLS安全建立信任关系 通道
web服务的URL使用SSL (https://)——但这已经在许多其他位置工作了很长时间(并继续这样做)。
我该往哪里看?这可能是Windows和。net之间的安全问题,是此安装独有的吗?如果是,我在哪里建立信任关系?我迷路了!
当前回答
微软的SSL诊断工具可能能够帮助识别问题。
更新链接已经修复。
其他回答
想法(基于过去的痛苦):
do you have DNS and line-of-sight to the server? are you using the correct name from the certificate? is the certificate still valid? is a badly configured load balancer messing things up? does the new server machine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP? is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL? related to the above - has the certificate been installed to the correct location? (you may need a copy in Trusted Root Certification Authorities) is the server's machine-level proxy set correctly? (which different to the user's proxy); see proxycfg for XP / 2003 (not sure about Vista etc)
添加:
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;}
就在你呼叫服务之前
试试这个:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
请注意,您必须至少使用4.5 .NET框架
如果你使用的是Windows 2003,你可以这样做:
Open Microsoft Management Console (Start --> Run --> mmc.exe); Choose File --> Add/Remove Snap-in; In the Standalone tab, choose Add; Choose the Certificates snap-in, and click Add; In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard; Close the Add/Remove Snap-in dialog; Navigate to Certificates (Local Computer) and choose a store to import: If you have the Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities; If you have the certificate for the server itself, choose Other People Right-click the store and choose All Tasks --> Import Follow the wizard and provide the certificate file you have; After that, simply restart IIS and try calling the web service again.
参考:http://www.outsystems.com/NetworkForums/ViewTopic.aspx?Topic=Web-Services: -Could-not-establish-trust-relationship-for-the-SSL / TLS -…
Luke写了一篇关于这方面的好文章。 非常直截了当。试试吧
卢克的解决方案
原因(引用自他的文章(含诅咒)) “. . 上面的代码的问题是,如果您的证书无效,它将无法工作。为什么我要发布到一个网页与无效的SSL证书?因为我很便宜,我不想付钱给Verisign或其他** *的人对我的测试箱进行认证,所以我自己签名了。当我发送请求时,我得到了一个可爱的例外:
System.Net.WebException 底层连接被关闭。无法与远程服务器建立信任关系。
我不知道你怎么想,但对我来说,这个异常看起来像是由我的代码中一个愚蠢的错误引起的,导致POST失败。所以我一直在寻找,调整,做各种奇怪的事情。只有在我谷歌了***n的东西,我发现遇到无效的SSL证书后的默认行为是抛出这个异常。 . .”
