自签名证书错误(Windows)是否有通用解决方案?

huangapple go评论62阅读模式
英文:

Is there a general solution to self signed certificate errors (Windows)?

问题

我使用企业VPN,每次尝试新客户端时都会出现自签名证书错误,这非常令人恼火。

这里有很多类似的问题,但它们涵盖了如何解决特定客户端引发错误的问题。而且不幸的是,答案通常是完全禁用SSL验证,这并不理想。这不是我在寻找的解决方法。

我已经在Windows证书存储中安装了自定义证书,但大多数客户端似乎忽略了这一点。

我不得不问,是否有任何一般性解决方法(包括我可以建议的VPN提供商层面的解决方法),或者这是标准化的一般性失败,无法解决?

英文:

I use a corporate VPN and every time I try a new client it throws a self-signed certificate error and it's getting very annoying.

There's plenty of similar questions in here but they cover how to solve the problem for the specific client throwing the error. Also unfortunately often the answer is to disable ssl verification altogether which is not ideal. This is not what I'm looking for.

I have installed the custom certificate in the Windows certificate store but most clients seem to ignore this.

I have to ask, is there any general solution to this of any kind (including solutions at the VPN provider level that I could suggest) or is this a general failure of standardization and there's nothing that can be done about it?

答案1

得分: 0

解决方法是将公司代理使用的 CA 证书安装到应用程序使用的信任存储中。不幸的是,没有通用的方法可以涵盖所有应用程序。

这是因为没有单一的系统范围的信任存储:一些应用程序可能使用 Windows 信任存储,一些具有特定于应用程序的信任存储,甚至特定于应用程序配置文件的存储,例如 Firefox 中的存储。有时信任存储是特定于所使用的编程语言(如 Java、Python)或库的。

有时所期望的证书、密钥或 CA 被硬编码到应用程序中(证书固定)。在这种情况下,必须更改应用程序本身或向公司防火墙添加异常。

英文:

The solution is to install the CA certificate used by the corporate proxy into the trust store(s) used by the applications. Unfortunately there is no generic way to do this which covers all applications.

This is because there is no single system wide trust store: some applications might use the windows trust store, some have application specific trust stores, or even application profile specific ones like in Firefox. Sometimes the trust store is specific for the used programming language (like Java, Python) or library.

And sometimes the expected certificate, key or CA is hard-coded into the application (certificate pinning). In this case the application itself would need to be changed or exceptions added to the corporate firewall.

huangapple
  • 本文由 发表于 2023年6月21日 23:21:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/76524872.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定