如何将 SSL 添加到使用 httplistener 的 .net 应用程序

本文介绍了如何将 SSL 添加到使用 httplistener 的 应用程序 - 它不会*在 IIS 上运行的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

最近的编辑以粗体显示我正在使用 HttpListener 类，但我不会在 IIS 上运行此应用程序，也不会使用 ASP.这个网站描述了实际使用的代码使用 asp 实现 SSL 和 本网站 描述如何设置证书(尽管我不确定它是否仅适用于 IIS).

Most recent edits in bold I am using the HttpListener class, but I won't be running this application on IIS and am not using ASP. This web site describes what code to actually use to implement SSL with asp and this site describes how to set up the certificates (although I'm not sure if it works only for IIS or not).

类文档描述了各种类型的身份验证(基本、摘要、Windows 等)——它们都没有提到 SSL.它确实说如果使用 HTTPS，您需要设置一个服务器证书.这将是一个单行属性设置，而 HttpListener 会弄清楚其余的吗?

The class documentation describes various types of authentication (basic, digest, Windows, etc.) --- none of them refer to SSL. It does say that if HTTPS is used, you will need to set a server certificate. Is this going to be a one line property setting and HttpListener figures out the rest?

简而言之，我需要知道如何设置证书以及如何修改代码以实现 SSL.

In short, I need to know how to set up the certificates and how to modify the code to implement SSL.

虽然在我尝试访问 HTTPS 时不会发生这种情况，但我确实注意到系统事件日志中有一个错误 - 来源是Schannel"，消息的内容是:

Although it doesn't occur when I'm trying to access HTTPS, I did notice an error in my System Event log - the source is "Schannel" and the content of the message is:

尝试时发生致命错误访问 SSL 服务器凭据私钥.返回的错误代码从密码模块是0x80090016.

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.

目前采取的步骤

• 在 C# 中创建了一个适用于 HTTP 连接的有效 HTTPListener(例如localhost:8089/foldername/"
• 使用 makecert.exe 创建证书
• 使用 certmgr.exe 添加要信任的证书
• 使用 Httpcfg.exe 侦听测试端口(例如 8090)上的 SSL 连接
• 通过 listener.Prefixes.Add(localhost:8090/foldername/) 将端口 8080 添加到 HTTPListenera>");
• 测试了一个 HTTP 客户端连接，例如(localhost:8089/foldername/") 并收到正确的返回
• 测试了 HTTPS 客户端连接，例如(localhost:8090/foldername/") 并收到数据传输中断"(在 Firefox 中)
• 在 Visual Studio 中的调试表明，当 HTTPS 连接开始时，接收请求的侦听器回调永远不会被命中 - 我看不到任何可以设置断点以更早捕获其他任何内容的地方.
• netstat 显示监听端口对 HTTPS 和 HTTP 都是开放的.尝试连接后，HTTPS 端口确实会进入 TIME_WAIT.
• Fiddler 和 HTTPAnalyzer 没有捕捉到任何流量，我想它在这个过程中还不够远，无法显示在那些 HTTP 分析工具中

• Created a working HTTPListener in C# that works for HTTP connections (e.g. "localhost:8089/foldername/"
• Created a certificate using makecert.exe
• Added the certificate to be trusted using certmgr.exe
• Used Httpcfg.exe to listen for SSL connections on a test port (e.g. 8090)
• Added port 8080 to the HTTPListener via listener.Prefixes.Add(localhost:8090/foldername/");
• tested an HTTP client connection, e.g. (localhost:8089/foldername/") in a browser and receive correct return
• tested an HTTPS client connection, e.g. (localhost:8090/foldername/") in a browser and receive "Data Transfer Interrupted" (in Firefox)
• debugging in visual studio shows that the listener callback that receives the requests never gets hit when the HTTPS connection starts - I don't see any place that I could set a breakpoint to catch anything else earlier.
• netstat shows that listening ports are open for both HTTPS and HTTP. the HTTPS port does go to TIME_WAIT after a connection is attempted.
• Fiddler and HTTPAnalyzer don't catch any of the traffic, I guess it doesn't get far enough in the process to show up in those HTTP analysis tools

问题

• 可能是什么问题?
• 是否有一段我遗漏的 .Net 代码(这意味着我必须在 C# 中做更多事情，而不仅仅是向指向 HTTPS 的侦听器添加前缀，这就是我所做的)
• 是否遗漏了某个配置步骤?
• 我还能做什么来分析问题?
• 系统事件日志中的错误消息是否是问题的征兆?如果是这样，它将如何修复?

推荐答案

我也有类似的问题，好像是证书本身有问题.

I have a similar problem, and it seems that there could be a problem with certificate itself.

这是对我有用的路径:

makecert.exe -r -a sha1 -n CN=localhost -sky exchange -pe -b 01/01/2000 -e 01/01/2050 -ss my -sr localmachine

然后查找证书指纹，将其复制到剪贴板并删除空格.这将是下一个命令中 -h 之后的参数:

then look up certificate thumbprint, copy it to the clipboard and remove spaces. This will be a parameter after -h in the next command:

HttpCfg.exe set ssl -i 0.0.0.0:801 -h 35c65fd4853f49552471d2226e03dd10b7a11755

然后在 localhost:801/ 上运行服务主机，它完美运行.

then run a service host on localhost:801/ and it works perfectly.

我无法工作的是让 https 在自生成的证书上运行.这是我运行以生成一个的代码(为了清楚起见，删除了错误处理):

what I cannot make work is for https to run on self-generated certificate. Here's the code I run to generate one (error handling taken out for clarity):

LPCTSTR pszX500 = subject; DWORD cbEncoded = 0; CertStrToName(X509_ASN_ENCODING, pszX500, CERT_X500_NAME_STR, NULL, pbEncoded, &cbEncoded, NULL); pbEncoded = (BYTE *)malloc(cbEncoded); CertStrToName(X509_ASN_ENCODING, pszX500, CERT_X500_NAME_STR, NULL, pbEncoded, &cbEncoded, NULL); // Prepare certificate Subject for self-signed certificate CERT_NAME_BLOB SubjectIssuerBlob; memset(&SubjectIssuerBlob, 0, sizeof(SubjectIssuerBlob)); SubjectIssuerBlob.cbData = cbEncoded; SubjectIssuerBlob.pbData = pbEncoded; // Prepare key provider structure for self-signed certificate CRYPT_KEY_PROV_INFO KeyProvInfo; memset(&KeyProvInfo, 0, sizeof(KeyProvInfo)); KeyProvInfo.pwszContainerName = _T("my-container"); KeyProvInfo.pwszProvName = NULL; KeyProvInfo.dwProvType = PROV_RSA_FULL; KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET; KeyProvInfo.cProvParam = 0; KeyProvInfo.rgProvParam = NULL; KeyProvInfo.dwKeySpec = AT_SIGNATURE; // Prepare algorithm structure for self-signed certificate CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm; memset(&SignatureAlgorithm, 0, sizeof(SignatureAlgorithm)); SignatureAlgorithm.pszObjId = szOID_RSA_SHA1RSA; // Prepare Expiration date for self-signed certificate SYSTEMTIME EndTime; GetSystemTime(&EndTime); EndTime.wYear += 5; // Create self-signed certificate pCertContext = CertCreateSelfSignCertificate(NULL, &SubjectIssuerBlob, 0, &KeyProvInfo, &SignatureAlgorithm, 0, &EndTime, 0); hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY"); CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, 0);

证书显示正常并且它有一个有效的私钥，但 https 会超时，就好像指纹从未注册过一样.如果有人知道为什么 - 请评论

Certificate shows fine and it has a working private key, but https will timeout as if thumbprint was never registered. If anyone knows why - plz comment

EDIT1:经过一番尝试，我找到了 CertCreateSelfSignCertificate 的初始化，它生成了正确的证书:

EDIT1: After some playing around, I have found the initialization for CertCreateSelfSignCertificate which generates proper certificate:

CRYPT_KEY_PROV_INFO KeyProvInfo; memset(&KeyProvInfo, 0, sizeof(KeyProvInfo)); KeyProvInfo.pwszContainerName = _T("my-container"); KeyProvInfo.pwszProvName = _T("Microsoft RSA SChannel Cryptographic Provider"); KeyProvInfo.dwProvType = PROV_RSA_SCHANNEL; KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET; KeyProvInfo.cProvParam = 0; KeyProvInfo.rgProvParam = NULL; KeyProvInfo.dwKeySpec = AT_KEYEXCHANGE;