SSL证书validation – 是否涉及任何caching?

案子:

  • 几天前,我们的集成合作伙伴错过了更改SSL服务器证书的最后期限,证书的有效期至两天前。
  • 发生这种情况时,我们的客户端软件开始抛出exception:“根据validation过程,远程证书无效”。 我们的客户端软件是用.NET 4编写的,并在Windows Server 2012上运行。SSL调用是通过WCF堆栈完成的。
  • 昨天下午,我们的集成合作伙伴安装了一个新的有效的SSL证书。

现在的问题是,我们仍然在客户端上得到同样的exception:“根据validation过程,远程证书是无效的”。

我的问题:

  • SSL证书validation状态是否以某种方式caching在客户端上? 我们的客户端软件是一个长期运行的过程,很less重新启动。
  • 或者这是SSL协议的一些固有的部分? 我不是SSL或networking方面的专家,但是a)只有在SSL握手过程中,客户端才会检查服务器证书,以及b)在SSL握手中交换的信息可以用于多个networking请求同一台服务器 如果确实如此,那么它是如何定义SSL握手有效的?

更新 :我们重新启动客户端进程,然后它工作。 对我来说,这表明某个SSL服务器证书validation状态被caching在客户端上,每个进程。 我仍然非常想了解更多关于这个细节的信息:在什么级别的堆栈上发生这种情况? WCF? 。净? Windows API? 这个caching多久了? 有什么办法可以调整caching行为吗? 我可以手动清空caching吗? 这是logging在某处吗?

全堆栈跟踪:

[E0]: The remote certificate is invalid according to the validation procedure. [T0]: System.Security.Authentication.AuthenticationException at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async) [E1]: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. [T1]: System.Net.WebException at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannel Request.WaitForReply(TimeSpan timeout) [E2]: Could not establish trust relationship for the SSL/TLS secure channel with authority '***removed***'. [T2]: System.ServiceModel.Security.SecurityNegotiationException 

Solutions Collecting From Web of "SSL证书validation – 是否涉及任何caching?"

我遇到了同样的问题。 我正在使用本地根CA证书验证TLS。 如果我从商店中删除证书,连续请求(使用HttpWebRequest)继续验证是否每隔几秒进行一次呼叫。 但是,如果我等了很短的时间(30-60秒),下一个电话会失败,因为它找不到根证书。

将HttpWebRequest.KeepAlive属性设置为false以防止缓存。 为了得到更多的控制,看起来你不得不开始反思。 请参阅问题如何清除客户端.Net SSL会话缓存 。