ex:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

?

使用傳輸安全模式，證書建立SSL，宿主端口證書配置完畢，但是客戶調(diào)用服務(wù)出錯。

Could not establish trust relationship for the SSL/TLS secure channel with authority 'computer:9001'.
不能和授權(quán)計算機(jī)為 SSL/TLS 安全通道建立信任關(guān)系

【1】問題分析：
???????Could not establish trust relationship for the SSL/TLS secure channel with authority 'computer:9001'.
不能和授權(quán)計算機(jī)為 SSL/TLS 安全通道建立信任關(guān)系.
???????實(shí)際原因和證書有很大關(guān)系，這里證書是跟證書頒發(fā)機(jī)構(gòu)信任的證書，在客戶端和服務(wù)端建立安全會話的時候，無法信任此證書。
????另外一個可能的原因是你其他域里也使用此一個證，這個也有可能導(dǎo)致錯誤。
【2】解決辦法：
????3.1：定義一個類，來對遠(yuǎn)程X.509證書的驗(yàn)證，進(jìn)行處理，返回為true.我們要自己定義一個類，然后在客戶單調(diào)用WCF服務(wù)之前，執(zhí)行一次即可。代碼如下：

public ??static ??class ?Util
?????{
?????????/// ??<summary>?
??????????/// ?Sets the cert policy.
?????????/// ??</summary>?
?????????public ??static ??void ?SetCertificatePolicy()
?????????{
?????????????ServicePointManager.ServerCertificateValidationCallback
????????????????????????+= ?RemoteCertificateValidate;
?????????}

?????????/// ??<summary>?
??????????/// ?Remotes the certificate validate.
?????????/// ??</summary>?
?????????private ??static ??bool ?RemoteCertificateValidate(
????????????object ?sender, X509Certificate cert,
?????????????X509Chain chain, SslPolicyErrors error)
?????????{
?????????????// ?trust any certificate!!!?
?????????????System.Console.WriteLine( " Warning, trust any certificate " );
?????????????return ??true ;
?????????}
?????}
??????你要在調(diào)用操作點(diǎn)先調(diào)用這個方法： Util.SetCertificatePolicy();
????????????????sResult = wcfServiceProxyHttp.SayHello(sName);
?????3.2：就是需要你在客戶端和服務(wù)端各安裝一個跟證書授權(quán)機(jī)構(gòu)。然后制作一受信任的根證書機(jī)構(gòu)的證書。可以參考這個：
http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20Tos

出處：http://social.microsoft.com/Forums/zh-CN/wcfzhchs/thread/1591a00d-d431-4ad8-bbd5-34950c39d563
????

=============================================================================================================

要使用SSL證書加密，必須要根據(jù)證書創(chuàng)建X509Certificate實(shí)例，添加到WebService實(shí)例的ClientCertificates集合屬性中：

string certificateFile = AppDomain.CurrentDomain.BaseDirectory + @"\certificate.cer";
System.Security.Cryptography.X509Certificates.X509Certificate certificate =
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(certificateFile);
creatinoService.ClientCertificates.Add(certificate);

調(diào)用會提示出現(xiàn):The remote certificate is invalid according to the validation procedure.異常，它的內(nèi)部異常是WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel。

解決方案,聲明一個類：
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class MyPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint
, X509Certificate certificate
, WebRequest request
, int certificateProblem) {
//Return True to force the certificate to be accepted.
return true;
} // end CheckValidationResult
} // class MyPolicy
System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();

但是由于是使用.NET 2.0，它會提示CertificatePolicy 屬性已經(jīng)過期了，可以使用下面的回調(diào)方式來替代它：

System.Net.ServicePointManager.ServerCertificateValidationCallback =
new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertificateValidationCallback);

增加一個靜態(tài)回調(diào)函數(shù) RemoteCertificateValidationCallback：

public static bool RemoteCertificateValidationCallback(
Object sender,
X509Certificate certificate,
X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors
)
{
//Return True to force the certificate to be accepted.
return true;
}
以上方法是我從國外的網(wǎng)絡(luò)上搜集整理出來的。并不是完全是自己的原創(chuàng)。

===========================================================================

用httpwebrequest訪問一個SSL類型的地址?https://xxxx?時，報錯 “未能為 SSL/TLS 安全通道建立信任關(guān)系(Could not establish trust relationship for the SSL/TLS secure channel)”

查了下MSDN，找到了解決方法，SSL網(wǎng)站，連接時需要提供證書，對于非必須提供客戶端證書的情況，只要返回一個安全確認(rèn) 即可。但是此方法的實(shí)現(xiàn)，在.NET 1.1 和 .NET 2.0 下是不同的，下面寫出2個framework版本下的實(shí)現(xiàn)方法：

使用的命名空間：

using System.Net;
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;

public class util
{
????//.Net 2.0
????public bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
????{
????????//直接確認(rèn)，否則打不開???
????????return true;
????}

????private void button1_Click(object sender, EventArgs e)
????{
????????ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(CheckValidationResult);
????????HttpWebRequest req = (HttpWebRequest)WebRequest.CreateDefault(new Uri("https://zu14.cn/"));
????????req.Method = "GET";
????????HttpWebResponse res = (HttpWebResponse)req.GetResponse();
????}

}
//...正常使用了，和訪問普通的 http:// 地址一樣了

//.Net 1.1
internal class AcceptAllCertificatePolicy : ICertificatePolicy
{
????public AcceptAllCertificatePolicy()
????{
????}

????public bool CheckValidationResult(ServicePoint sPoint, System.Security.Cryptography.X509Certificates.X509Certificate cert, WebRequest wRequest, int certProb)
????{
????????//直接確認(rèn)
????????return true;
????}

????private void button1_Click(object sender, EventArgs e)
????{
????????ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();
????????HttpWebRequest req = (HttpWebRequest)WebRequest.CreateDefault(new Uri("https://。。。/"));
????????req.Method = "GET";
????????HttpWebResponse res = (HttpWebResponse)req.GetResponse();

????}
}
//...正常使用了，和訪問普通的 http:// 地址一樣了
?

總結(jié)

以上是生活随笔為你收集整理的https请求，报错Could not establish trust relationship for the SSL/TLS secure channel的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。