風險降低:X509CertificateClaimSet.FindClaims 方法Mitigation: X509CertificateClaimSet.FindClaims Method

從以 .NET Framework 4.6.1 為目標的應用程式開始, X509CertificateClaimSet.FindClaims 方法會嘗試比對 claimType 引數與其 SAN 欄位中的所有 DNS 專案。Starting with apps that target .NET Framework 4.6.1, the X509CertificateClaimSet.FindClaims method will attempt to match the claimType argument with all the DNS entries in its SAN field.

影響Impact

這項變更只會影響以 .NET Framework 4.6.1 和更新版本為目標的應用程式。This change only affects apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1.

若是以舊版 .NET Framework 為目標的應用程式,則 X509CertificateClaimSet.FindClaims 方法僅會嘗試使 claimType 引數符合最後一個 DNS 項目。For apps that target previous versions of the .NET Framework, the X509CertificateClaimSet.FindClaims method attempts to match the claimType argument only with the last DNS entry.

降低Mitigation

如果不需要這項變更,以 .NET Framework 4.6.1 開頭之 .NET Framework 版本的應用程式,可以藉由將下列設定設定新增至 <runtime> 應用程式佈建檔的區段,來退出宣告它:If this change is undesirable, apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1 can opt out of it by adding the following configuration setting to the <runtime> section of the app’s configuration file:

<runtime>  
   <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=true" />
</runtime>  

此外,以舊版 .NET Framework 但在 .NET Framework 4.6.1 和更新版本下執行的應用程式,可以藉由將下列設定設定新增至 <runtime> 應用程式佈建檔的區段,來加入宣告這項行為:In addition, apps that target previous versions of the .NET Framework but are running under the .NET Framework 4.6.1 and later versions can opt in to this behavior by adding the following configuration setting to the <runtime> section of the app’s configuration file:

<runtime>  
    <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=false" />
</runtime>  

另請參閱See also