问题
I try to upload a file to my domain https://vault.veodin.com/ which is hosted at webfaction.com
When you open this url, the browser warns you about the name mismatch, because the SSL certificate is issued for webfaction.com and not for veodin.com
Accordingly a sslPolicyError System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch occurs when I try to upload a file to this domain using .Net WebClient.
For my purpose it's enough to be sure that the upload target is hosted at *.webfaction.com.
Is it safe to trust the certificate.subject for that?
Background:
Update: I've used a custom CertificateValidationCallback to verify the certificate subject and the certificate issuer to be exactly what I expect.
ServicePointManager.ServerCertificateValidationCallback =
MyCertificatePolicy.CertificateValidationCallBack;
...
public class MyCertificatePolicy
{
public static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
//if there is a RemoteCertificateNameMismatch, but the Name is webfaction.com
//then we can trust the certificate despite the name error
else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch
&& certificate.Subject == "CN=*.webfaction.com, OU=WebFaction, O=Swarma Limited, L=London, S=England, C=GB"
&& certificate.Issuer == "CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US")
{
return true;
}
else
{
// In all other cases, return false.
return false;
}
}
}
来源:https://stackoverflow.com/questions/7436491/how-safe-is-my-custom-ssl-verification-logic-to-handle-excepted-remotecertificat