英文:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
使用HttpWebRequest 访问 https://mapi.alipay.com/gateway.do?...支付宝接口时 在本机WIN10 64位环境 完全没问题,使用firefox,IE Edge打开也没问题,但是在win2003 server 上报错:基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系,用IE 无法打开链接
,如果在win2003 上使用fiddler 打开链接会弹出对话框提示:
Session #8: The remote server (mapi.alipay.com) presented a certificate that did not validate, due to RemoteCertificateChainErrors.
0 - 无法验证证书的签名。。。如果忽略错误则可正常访问。
原因:证书没官方签名?
We checked the credentials passed; it seems everything was fine. But still it was failing whenever we make the request to the server with the above same message. When we checked their environment, we found customer uses the self-signed certificate on the server. This is because, by default, .NET checks whether SSL certificates are signed by a certificate from the Trusted Root Certificate store.
解决方案:
请求之前加上下面得代码即可,简洁实用
1.
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
2.
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback ( delegate { return true; } );
这样做会潜在一定风险
所有验证都会通过,不论是否证书是无效得。whatever ,还有其他方案? 或者针对特定链接这样做就好了
1.This will accept all certificates, regardless of why they are invalid, which resolved the customer’s issue.
By validating the X509 certificate provided by the computer running Microsoft Exchange Server 2007 for SSL over HTTP, you help to provide a layer of security for the client application. You must validate certificates before you can start programming with Exchange Web Services proxy classes. If the callback is not set up, the first call will fail with a certificate error.
2.This solution could be potential security threat as you are turning off the SSL certificate validation. If this is production code, understand the risk of the server you are connecting to.