增加远程证书验证

2021-07-20 00:34:09 +08:00 · 2021-07-20 00:34:09 +08:00 · f5698ef1e1
commit f5698ef1e1
parent 994099a7d2
1 changed files with 8 additions and 1 deletions
--- a/FastGithub.ReverseProxy/HttpClientHanlder.cs
+++ b/FastGithub.ReverseProxy/HttpClientHanlder.cs
@ -2,6 +2,7 @@
 using System.Net.Http;
 using System.Net.Security;
 using System.Net.Sockets;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;

@ -51,9 +52,15 @@ namespace FastGithub.ReverseProxy
                    await sslStream.AuthenticateAsClientAsync(new SslClientAuthenticationOptions
                    {
                        TargetHost = tlsSniContext.TlsSniPattern.Value,
-                        RemoteCertificateValidationCallback = delegate { return true; }
+                        RemoteCertificateValidationCallback = ValidateServerCertificate
                    }, cancellationToken);
                    return sslStream;
+
+                    // 这里最好需要验证证书的使用者和所有使用者可选名称
+                    static bool ValidateServerCertificate(object sender, X509Certificate? cert, X509Chain? chain, SslPolicyErrors errors)
+                    {
+                        return errors == SslPolicyErrors.None || errors == SslPolicyErrors.RemoteCertificateNameMismatch;
+                    }
                }
            };
        }