基于证书的带RESTful WCF服务的相互SSL
我有一个基于证书的双向SSL WCF RESTful服务,它托管在windows应用程序中。服务器使用自签名证书绑定到的端口。证书存在于“我的”存储区的“LocalMachine”中。在同一个“我的”存储中还有客户端证书。客户端和服务器证书的名称都与计算机名称相同。客户端和服务器配置如下所示: 客户端:基于证书的带RESTful WCF服务的相互SSL,wcf,ssl,https,Wcf,Ssl,Https,我有一个基于证书的双向SSL WCF RESTful服务,它托管在windows应用程序中。服务器使用自签名证书绑定到的端口。证书存在于“我的”存储区的“LocalMachine”中。在同一个“我的”存储中还有客户端证书。客户端和服务器证书的名称都与计算机名称相同。客户端和服务器配置如下所示: 客户端: <system.serviceModel> <behaviors> <endpointBehaviors> <behavior name="
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<webHttp />
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint" storeName="My" findValue="F50C62754783EC741F6E84E25888D17CBC145691" />
<serviceCertificate>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="WebHttpBinding_Conf">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<client>
<endpoint address="https://mymachine:8088/Service" behaviorConfiguration="ClientBehavior"
binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf"
contract="RESTfulLib.IService" name="WebHttpBinding_NAme" />
</client>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="7975794831242F2D39ED3B1BC8323EAF5DA2CA11" storeName="My"/>
</serviceCredentials>
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="WebHttpBinding_Conf">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="RESTfulLib.Service" behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="https://mymachine:8088/Service"/>
</baseAddresses>
</host>
<endpoint address="" behaviorConfiguration="web" binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf" contract="RESTfulLib.IService">
</endpoint>
</service>
</services>
启用详细的WCF日志表明,我们在握手时出现了以下错误:
System.Net Error: 0 : [11504] Decrypt returned SEC_I_RENEGOTIATE.
我尝试过设置,但这也没有帮助:
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
证书也被复制到受信任的根CAs存储,并且有一个ServicePointManager.ServerCertificateValidationCallback,它在所有情况下都返回true(!)
如有任何答复,将不胜感激。
谢谢 由于您的证书是自签名的,因此您必须为您的客户机添加一些额外的代码 在实例化WCF客户端之前,应添加:
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
TrustAllCertificatesCallback是一种执行服务证书验证的回调方法。以下是一个示例:
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
X509Certificate2 certificate = new X509Certificate2(cert);
return certificate.Verify();
}
您还必须在受信任的根证书颁发机构证书存储中安装证书,并最终添加到客户端端点配置中:
<client>
<endpoint address="https://mymachine:8088/Service" behaviorConfiguration="ClientBehavior"
binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf"
contract="RESTfulLib.IService" name="WebHttpBinding_NAme">
<identity>
<dns value="<<<your certificate name>>>" />
</identity>
</endpoint>
</client>
您必须确保您的证书已正确安装并配置为可访问:
Rom,我已经有一个ServicePointManager.ServerCertificateValidationCallback,它在所有情况下都返回true(!)。将证书(两者)复制到受信任的根CA。其次,我需要将xml放在哪里?您是否激活了WCF跟踪?是的,这是相同的错误:System.Net错误:0:[10796]解密返回的SEC_I_重新协商。System.Net信息:0:[12032]SecureChannel#30384602-我们有用户提供的证书。服务器已指定133个颁发者。正在查找与任何发行人匹配的证书。系统.Net信息:0:[12032]SecureChannel#30384602-剩下0个客户端证书可供选择。您在客户端计算机上的何处安装了证书?客户端和服务器都在同一台计算机上。证书在这台普通机器上。
<client>
<endpoint address="https://mymachine:8088/Service" behaviorConfiguration="ClientBehavior"
binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf"
contract="RESTfulLib.IService" name="WebHttpBinding_NAme">
<identity>
<dns value="<<<your certificate name>>>" />
</identity>
</endpoint>
</client>