https请求，报错Could not establish trust relationship for the SSL/TLS secure channel

最新推荐文章于 2025-02-27 16:46:36 发布

lyx程序人生

最新推荐文章于 2025-02-27 16:46:36 发布

阅读量4.6k

点赞数 3

分类专栏： wcf 文章标签： https

本文链接：https://blog.csdn.net/vs920079469vs/article/details/116653188

版权

wcf 专栏收录该内容

3 篇文章

订阅专栏

本文介绍了解决SSL/TLS安全通道信任问题的方法，包括自定义验证逻辑以接受所有证书，以及在客户端和服务端安装受信任的根证书。适用于.NET不同版本。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

ex:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

使用传输安全模式，证书建立SSL，宿主端口证书配置完毕，但是客户调用服务出错。

Could not establish trust relationship for the SSL/TLS secure channel with authority 'computer:9001'.
不能和授权计算机为 SSL/TLS 安全通道建立信任关系

【1】问题分析：
       Could not establish trust relationship for the SSL/TLS secure channel with authority 'computer:9001'.
不能和授权计算机为 SSL/TLS 安全通道建立信任关系.
       实际原因和证书有很大关系，这里证书是跟证书颁发机构信任的证书，在客户端和服务端建立安全会话的时候，无法信任此证书。
    另外一个可能的原因是你其他域里也使用此一个证，这个也有可能导致错误。
【2】解决办法：
    3.1：定义一个类，来对远程X.509证书的验证，进行处理，返回为true.我们要自己定义一个类，然后在客户单调用WCF服务之前，执行一次即可。代码如下：

public   static   class Util
     {
         ///   <summary>
          /// Sets the cert policy.
         ///   </summary>
         public   static   void SetCertificatePolicy()
         {
             ServicePointManager.ServerCertificateValidationCallback
                        += RemoteCertificateValidate;
         }

         ///   <summary>
          /// Remotes the certificate validate.
         ///   </summary>
         private   static   bool RemoteCertificateValidate(
            object sender, X509Certificate cert,
             X509Chain chain, SslPolicyErrors error)
         {
             // trust any certificate!!!
             System.Console.WriteLine( " Warning, trust any certificate " );
             return   true ;
         }
     }
      你要在调用操作点先调用这个方法： Util.SetCertificatePolicy();
                sResult = wcfServiceProxyHttp.SayHello(sName);
     3.2：就是需要你在客户端和服务端各安装一个跟证书授权机构。然后制作一受信任的根证书机构的证书。可以参考这个：
http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20Tos

出处：http://social.microsoft.com/Forums/zh-CN/wcfzhchs/thread/1591a00d-d431-4ad8-bbd5-34950c39d563

=============================================================================================================

要使用SSL证书加密，必须要根据证书创建X509Certificate实例，添加到WebService实例的ClientCertificates集合属性中：

string certificateFile = AppDomain.CurrentDomain.BaseDirectory + @"\certificate.cer";
System.Security.Cryptography.X509Certificates.X509Certificate certificate =
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(certificateFile);
creatinoService.ClientCertificates.Add(certificate);

调用会提示出现:The remote certificate is invalid according to the validation procedure.异常，它的内部异常是WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel。

解决方案,声明一个类：
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class MyPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint
, X509Certificate certificate
, WebRequest request
, int certificateProblem) {
//Return True to force the certificate to be accepted.
return true;
} // end CheckValidationResult
} // class MyPolicy
System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();

但是由于是使用.NET 2.0，它会提示CertificatePolicy 属性已经过期了，可以使用下面的回调方式来替代它：

System.Net.ServicePointManager.ServerCertificateValidationCallback =
new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertificateValidationCallback);

增加一个静态回调函数 RemoteCertificateValidationCallback：

public static bool RemoteCertificateValidationCallback(
Object sender,
X509Certificate certificate,
X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors
)
{
//Return True to force the certificate to be accepted.
return true;
}
以上方法是我从国外的网络上搜集整理出来的。并不是完全是自己的原创。

===========================================================================

用httpwebrequest访问一个SSL类型的地址 https://xxxx 时，报错 “未能为 SSL/TLS 安全通道建立信任关系(Could not establish trust relationship for the SSL/TLS secure channel)”

查了下MSDN，找到了解决方法，SSL网站，连接时需要提供证书，对于非必须提供客户端证书的情况，只要返回一个安全确认即可。但是此方法的实现，在.NET 1.1 和 .NET 2.0 下是不同的，下面写出2个framework版本下的实现方法：

使用的命名空间：

using System.Net;
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;

public class util
{
    //.Net 2.0
    public bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
    {
        //直接确认，否则打不开
        return true;
    }

    private void button1_Click(object sender, EventArgs e)
    {
        ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(CheckValidationResult);
        HttpWebRequest req = (HttpWebRequest)WebRequest.CreateDefault(new Uri("https://zu14.cn/"));
        req.Method = "GET";
        HttpWebResponse res = (HttpWebResponse)req.GetResponse();
    }

}
//...正常使用了，和访问普通的 http:// 地址一样了

//.Net 1.1
internal class AcceptAllCertificatePolicy : ICertificatePolicy
{
    public AcceptAllCertificatePolicy()
    {
    }

    public bool CheckValidationResult(ServicePoint sPoint, System.Security.Cryptography.X509Certificates.X509Certificate cert, WebRequest wRequest, int certProb)
    {
        //直接确认
        return true;
    }

    private void button1_Click(object sender, EventArgs e)
    {
        ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();
        HttpWebRequest req = (HttpWebRequest)WebRequest.CreateDefault(new Uri("https://。。。/"));
        req.Method = "GET";
        HttpWebResponse res = (HttpWebResponse)req.GetResponse();

}
}
//...正常使用了，和访问普通的 http:// 地址一样了