The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系
方法一:
1,先加入命名空间:
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
2,再重载CheckValidationResult方法,返回true
public bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{ // 总是接受
return true;
}
3,然后在HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(url);前面加上如下一行代码:
ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(CheckValidationResult);//验证服务器证书回调自动验证
方法二:
英文:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
使用HttpWebRequest 访问 https://mapi.alipay.com/gateway.do?...支付宝接口时 在本机WIN10 64位环境 完全没问题,使用firefox,IE Edge打开也没问题,但是在win2003 server 上报错:基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系,用IE 无法打开链接
,如果在win2003 上使用fiddler 打开链接会弹出对话框提示:
Session #8: The remote server (mapi.alipay.com) presented a certificate that did not validate, due to RemoteCertificateChainErrors.
0 - 无法验证证书的签名。。。如果忽略错误则可正常访问。
原因:证书没官方签名?
We checked the credentials passed; it seems everything was fine. But still it was failing whenever we make the request to the server with the above same message. When we checked their environment, we found customer uses the self-signed certificate on the server. This is because, by default, .NET checks whether SSL certificates are signed by a certificate from the Trusted Root Certificate store.
解决方案:
请求之前加上下面得代码即可,简洁实用
1.
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
2.
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback ( delegate { return true; } );
这样做会潜在一定风险
所有验证都会通过,不论是否证书是无效得。whatever 
,还有其他方案? 或者针对特定链接这样做就好了
1.This will accept all certificates, regardless of why they are invalid, which resolved the customer’s issue.
By validating the X509 certificate provided by the computer running Microsoft Exchange Server 2007 for SSL over HTTP, you help to provide a layer of security for the client application. You must validate certificates before you can start programming with Exchange Web Services proxy classes. If the callback is not set up, the first call will fail with a certificate error.
2.This solution could be potential security threat as you are turning off the SSL certificate validation. If this is production code, understand the risk of the server you are connecting to.
方法三:
今天写程序的时候调用到一个第三方的DLL文件,本机调试一切都正常,但是程序不是到服务器以后一直提示一个BUG:"基础连接已经关闭: 未能为SSL/TLS 安全通道建立信任关系"。
后来把DLL文件进行反编译,发现是在获得请求的时候出错了。
WebResponse response = WebRequest.Create("https://……").GetResponse();
于是在服务器上用浏览器打开上面的地址,发现会弹出一个确认证书的窗口,看来是证书问题。
在网上一顿搜索,发现了一个决绝办法甚是好用,而且很简单,在请求之前添加一行代码。
- ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();
其中AcceptAllCertificatePolicy需要自己定义:
- internal class AcceptAllCertificatePolicy : ICertificatePolicy
- {
- public AcceptAllCertificatePolicy()
- {
- }
- public bool CheckValidationResult(ServicePoint sPoint, X509Certificate cert, WebRequest wRequest, int certProb)
- {
- // Always accept
- return true;
- }
- }
以上方法虽然解决了遇到的问题,可是在VS中会提示ServicePointManager.CertificatePolicy已经被否决。由于我是一个喜欢完美的人,于是按照提示使用新的方法来处理。
改造后的代码更加简洁和明了
- ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
- private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
- {
- return true;
- }
就这样了,一个委托搞定!
5616
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
