在.Net中调用web服务时绕过无效的SSL证书错误

We are setting up a new SharePoint for which we don't have a valid SSL certificate yet. I would like to call the Lists web service on it to retrieve some meta data about the setup. However, when I try to do this, I get the exception:

我们正在设置一个新的SharePoint，我们还没有有效的SSL证书。我想调用它上面的列表web服务来检索关于设置的一些元数据。然而，当我尝试这样做时，我得到了一个例外:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

基础连接被关闭:无法为SSL/TLS安全通道建立信任关系。

The nested exception contains the error message:

嵌套异常包含错误消息:

The remote certificate is invalid according to the validation procedure.

根据验证过程，远程证书无效。

This is correct since we are using a temporary certificate.

这是正确的，因为我们使用的是临时证书。

My question is: how can I tell the .Net web service client (SoapHttpClientProtocol) to ignore these errors?

我的问题是:如何让。net web服务客户机(SoapHttpClientProtocol)忽略这些错误?

8 个解决方案

#1

The approach I used when faced with this problem was to add the signer of the temporary certificate to the trusted authorities list on the computer in question.

在遇到这个问题时，我使用的方法是将临时证书的签名者添加到相关计算机上的可信权威列表中。

I normally do testing with certificates created with CACERT, and adding them to my trusted authorities list worked swimmingly.

我通常使用CACERT创建的证书进行测试，并将它们添加到我信任的权威列表中，效果非常好。

Doing it this way means you don't have to add any custom code to your application and it properly simulates what will happen when your application is deployed. As such, I think this is a superior solution to turning off the check programmatically.

这样做意味着您不必向您的应用程序添加任何自定义代码，并且可以适当地模拟应用程序部署时发生的情况。因此，我认为这是一种优于以编程方式关闭检查的解决方案。

#2

108

Alternatively you can register a call back delegate which ignores the certification error:

或者您可以注册一个回调委托，它忽略了认证错误:

...
ServicePointManager.ServerCertificateValidationCallback = MyCertHandler;
...

static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error)
{
// Ignore errors
return true;
}

#3

Like Jason S's answer:

像贾森·S的回答:

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

I put this in my Main and look to my app.config and test if (ConfigurationManager.AppSettings["IgnoreSSLCertificates"] == "True") before calling that line of code.

我将它放在Main中，并查看app.config并测试if (ConfigurationManager)。在调用这一行代码之前，应用设置["IgnoreSSLCertificates"] = "True"。

#4

I solved it this way:

我是这样解决的:

Call the following just before calling your ssl webservice that cause that error:

在调用导致该错误的ssl web服务之前，请调用以下命令:

using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

/// <summary>
/// solution for exception
/// System.Net.WebException: 
/// The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
/// </summary>
public static void BypassCertificateError()
{
    ServicePointManager.ServerCertificateValidationCallback +=

        delegate(
            Object sender1,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors)
        {
            return true;
        };
}

#5

I was having same error using DownloadString; and was able to make it works as below with suggestions on this page

我使用DownloadString时也有同样的错误;并能使它的工作如下与建议在本页

System.Net.WebClient client = new System.Net.WebClient();            
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
string sHttpResonse = client.DownloadString(sUrl);

#6

ServicePointManager.ServerCertificateValidationCallback +=
            (mender, certificate, chain, sslPolicyErrors) => true;

will bypass invaild ssl . Write it to your web service constructor.

将绕过invaild ssl。将其写入web服务构造函数。

#7

For newbies, you can extend your partial service class in a separate cs file and add the code the code provided by "imanabidi" to get it integrated

对于新手，您可以在一个独立的cs文件中扩展您的部分服务类，并添加“imanabidi”提供的代码以使其集成

#8

To further expand on Simon Johnsons post - Ideally you want a solution that will simulate the conditions you will see in production and modifying your code won't do that and could be dangerous if you forget to take the code out before you deploy it.

要进一步扩展Simon Johnsons post——理想情况下，您需要一个能够模拟您将在生产中看到的条件的解决方案，而修改代码不会这样做，而且如果在部署代码之前忘记取出代码，可能会很危险。

You will need a self-signed certificate of some sort. If you're using IIS Express you will have one of these already, you'll just have to find it. Open Firefox or whatever browser you like and go to your dev website. You should be able to view the certificate information from the URL bar and depending on your browser you should be able to export the certificate to a file.

您将需要某种自签名证书。如果您正在使用IIS Express，那么您将已经拥有其中的一个，您只需找到它。打开Firefox或任何你喜欢的浏览器，进入你的开发网站。您应该能够从URL栏中查看证书信息，根据您的浏览器，您应该能够将证书导出到文件中。

Next, open MMC.exe, and add the Certificate snap-in. Import your certificate file into the Trusted Root Certificate Authorities store and that's all you should need. It's important to make sure it goes into that store and not some other store like 'Personal'. If you're unfamiliar with MMC or certificates, there are numerous websites with information how to do this.

接下来,打开MMC。exe，并添加证书管理单元。将您的证书文件导入受信任的根证书颁发机构存储区，这就是您所需要的。重要的是要确保它进入那家商店，而不是像“Personal”这样的其他商店。如果您不熟悉MMC或证书，那么有许多网站都有关于如何做到这一点的信息。

Now, your computer as a whole will implicitly trust any certificates that it has generated itself and you won't need to add code to handle this specially. When you move to production it will continue to work provided you have a proper valid certificate installed there. Don't do this on a production server - that would be bad and it won't work for any other clients other than those on the server itself.

现在，您的计算机作为一个整体将会隐式地信任它生成的任何证书，并且您不需要添加代码来专门处理这个问题。如果您在生产环境中安装了有效的证书，它将继续工作。不要在生产服务器上执行此操作——这样做会很糟糕，而且除了服务器上的客户端之外，其他任何客户端都无法执行此操作。

#1