Mono https webrequest失败，并显示“身份验证或解密失败”

Question 1

我正在制作一个简单的REST客户端以在我的C＃应用程序中使用。在Windows的.net中，它与http：//和https：//连接一起使用时效果很好。在Ubuntu 10.10上的Mono 2.6.7中（也用2.8测试了相同的结果），只有http：//可以工作。https：//连接在request.GetResponse（）方法上引发此异常：

Unhandled Exception: System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in <filename unknown>:0 
  at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0

我还没有找到任何解决此问题的方法。任何人都知道为什么会发生这种情况以及如何解决它？

同样，这仅在Mono中失败，.Net建立连接似乎没有任何问题。

这是调用代码：

public JToken DoRequest(string path, params string[] parameters) {
    if(!path.StartsWith("/")) {
        path = "/" + path;
    }
    string fullUrl = url + path + ToQueryString(parameters);

    if(DebugUrls) Console.WriteLine("Requesting: {0}", fullUrl);

    WebRequest request = HttpWebRequest.CreateDefault(new Uri(fullUrl));
    using(WebResponse response = request.GetResponse())
    using(Stream responseStream = response.GetResponseStream()) {
        return ReadResponse(responseStream);
    }
}

Question 2

默认情况下，Mono不信任任何证书，要导入Mozilla受信任的根权限，您可以mozroots --import --quiet在mozroots.exe所在的mono安装文件夹中运行

Question 3

我在Unity上也遇到了同样的问题（它也使用mono），这篇文章帮助我解决了这个问题。

在发出请求之前，只需添加以下行：

ServicePointManager.ServerCertificateValidationCallback = MyRemoteCertificateValidationCallback;

而这种方法：

public bool MyRemoteCertificateValidationCallback(System.Object sender,
    X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    bool isOk = true;
    // If there are errors in the certificate chain,
    // look at each error to determine the cause.
    if (sslPolicyErrors != SslPolicyErrors.None) {
        for (int i=0; i<chain.ChainStatus.Length; i++) {
            if (chain.ChainStatus[i].Status == X509ChainStatusFlags.RevocationStatusUnknown) {
                continue;
            }
            chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
            chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
            chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan (0, 1, 0);
            chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
            bool chainIsValid = chain.Build ((X509Certificate2)certificate);
            if (!chainIsValid) {
                isOk = false;
                break;
            }
        }
    }
    return isOk;
}

Question 4

Windows上的.NET Framework使用Windows证书存储（mmc，添加/删除管理单元，证书）来确定是否接受来自远程站点的SSL证书。Windows附带了一堆根和中级证书颁发机构（CA），并且Windows Update会定期对其进行更新。因此，您的.NET代码通常将信任证书，前提是该证书是由证书存储中的CA或CA的后代颁发的（包括最知名的商业CA）。

在Mono中，没有Windows证书存储。Mono有自己的商店。默认情况下，它为空（没有可信任的默认CA）。您需要自己管理条目。

在这里看看：

默认安装后，mozroots.exe点将使您的单声道安装信任Firefox信任的所有内容。

Question 5

在make request http request之前写此行。这应该是可行的。

ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback((sender, certificate, chain, policyErrors) => { return true; });


private static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        //Return true if the server certificate is ok
        if (sslPolicyErrors == SslPolicyErrors.None)
            return true;

        bool acceptCertificate = true;
        string msg = "The server could not be validated for the following reason(s):\r\n";

        //The server did not present a certificate
        if ((sslPolicyErrors &
             SslPolicyErrors.RemoteCertificateNotAvailable) == SslPolicyErrors.RemoteCertificateNotAvailable)
        {
            msg = msg + "\r\n    -The server did not present a certificate.\r\n";
            acceptCertificate = false;
        }
        else
        {
            //The certificate does not match the server name
            if ((sslPolicyErrors &
                 SslPolicyErrors.RemoteCertificateNameMismatch) == SslPolicyErrors.RemoteCertificateNameMismatch)
            {
                msg = msg + "\r\n    -The certificate name does not match the authenticated name.\r\n";
                acceptCertificate = false;
            }

            //There is some other problem with the certificate
            if ((sslPolicyErrors &
                 SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)
            {
                foreach (X509ChainStatus item in chain.ChainStatus)
                {
                    if (item.Status != X509ChainStatusFlags.RevocationStatusUnknown &&
                        item.Status != X509ChainStatusFlags.OfflineRevocation)
                        break;

                    if (item.Status != X509ChainStatusFlags.NoError)
                    {
                        msg = msg + "\r\n    -" + item.StatusInformation;
                        acceptCertificate = false;
                    }
                }
            }
        }

        //If Validation failed, present message box
        if (acceptCertificate == false)
        {
            msg = msg + "\r\nDo you wish to override the security check?";
//          if (MessageBox.Show(msg, "Security Alert: Server could not be validated",
//                       MessageBoxButtons.YesNo, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1) == DialogResult.Yes)
                acceptCertificate = true;
        }

        return acceptCertificate;
    }

Question 6

我有同样的问题。当http响应抛出此异常时，我将执行以下操作：

System.Diagnostics.Process.Start("mozroots","--import --quiet");

这将导入丢失的证书，并且该异常不再发生。

Question 7

Unity的另一个解决方案是将ServicePointManager初始化一次，以始终接受证书。这可行，但显然不安全。

System.Net.ServicePointManager.ServerCertificateValidationCallback +=
           delegate (object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
                                   System.Security.Cryptography.X509Certificates.X509Chain chain,
                                   System.Net.Security.SslPolicyErrors sslPolicyErrors)
           {
               return true; // **** Always accept
       };

Question 8

我也遇到错误。

我试了一下ServicePointManager.ServerCertificateValidationCallback，ServicePointManager.CertificatePolicy但还是没用。

我很生气构建一个cURL包装器。对于我的玩具项目来说，一切正常。

/// <summary>
/// For MONO ssl decryption failed
/// </summary>
public static string PostString(string url, string data)
{
    Process p = null;
    try
    {
        var psi = new ProcessStartInfo
        {
            FileName = "curl",
            Arguments = string.Format("-k {0} --data \"{1}\"", url, data),
            RedirectStandardOutput = true,
            UseShellExecute = false,
            CreateNoWindow = false,
        };

        p = Process.Start(psi);

        return p.StandardOutput.ReadToEnd();
    }
    finally
    {
        if (p != null && p.HasExited == false)
            p.Kill();
    }
}

Question 9

第一个答案已经说过：Windows以外的任何版本上的Mono都不附带任何内容，因此最初它不信任任何证书。那么该怎么办？

这是一篇不错的文章，它从开发人员的角度介绍了解决问题的不同方法：http : //www.mono-project.com/archived/usingtrustedrootsrespectfully/

简短摘要：您可以：

忽略安全问题
忽略问题
让用户知道并中止
让用户知道并选择继续承担风险

上面的链接附带每种情况的代码示例。

Question 10

根据接受的答案导入证书后，我仍然遇到此问题。

我发现在使用Google的BoringSSL的 Mono 4.8.0中添加了对TLS 1.2的支持，并且我使用的Mono版本早于此版本。我更新为Mono 5.10，现在可以连接而不会收到此异常。

Question 11

您可以在iOS Build中设置Mono TLS实现，所有操作都可以按此处所述正常进行：http : //massivepixel.co/blog/post/xamarin-studio-6-certificate-unknown（尽管Mono TLS不支持更新版本的TLS，但我还没有碰到这是一个问题的问题）。