SSL客户端/服务器相互认证

Question

您好我正在尝试在C＃中使用服务器和客户端证书进行相互身份验证的ssl客户端/服务器通信。设法只使用服务器证书进行ssl通信，在客户端我使用这样的：

TcpClient client = new TcpClient(machineName, port);
//Create an SSL stream that will close the client's stream.
   SslStream sslStream = new SslStream(
   client.GetStream(),
   false,
   new RemoteCertificateValidationCallback(ValidateServerCertificate),
   null
   );
try
{
    // The server name must match the name on the server certificate.
    sslStream.AuthenticateAsClient(serverName);
}
catch (AuthenticationException e)
{
    Console.WriteLine("Exception: {0}", e.Message);
    if (e.InnerException != null)
    {
        Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
    }
    Console.WriteLine("Authentication failed - closing the connection.");
    client.Close();
    return;
} 

我认为我需要使用

AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)

方法，我是谁？任何人都可以告诉我如何使用它与所有的东西？甚至在服务器端，或指向我一个基本的例子？

非常感谢你。

Answer 1

static void HTTPSClient()
{
    try
    {
        string message = "GET / HTTP/1.0\r\nHost: host.com\r\n\r\n";

        byte[] data = System.Text.Encoding.ASCII.GetBytes(message);

        string server = "host.com";
        int nPort = 443;
        TcpClient client = new TcpClient(server, nPort);

        X509Certificate2Collection cCollection = new X509Certificate2Collection();
        cCollection.Add(new X509Certificate2("cert.pfx", "password"));


        using (SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null))
        {
            // Add a client certificate to the ssl connection
            sslStream.AuthenticateAsClient(server, cCollection, System.Security.Authentication.SslProtocols.Default, true);

            sslStream.Write(data, 0, data.Length);

            data = new Byte[8192];
            int bytes = 0;
            string responseData = "";

            do
            {
                bytes = sslStream.Read(data, 0, data.Length);
                if (bytes > 0)
                {
                    responseData += System.Text.Encoding.ASCII.GetString(data, 0, bytes);
                }
            }
            while (bytes > 0);

            Console.WriteLine("Response: " + responseData);
        }

        // Disconnect and close the client
        client.Close();
    }
    catch (Exception ex)
    {
        Console.WriteLine("Error: " + ex.ToString());
    }
}

public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
        return true;

    Console.WriteLine("Certificate error: {0}", sslPolicyErrors);

    // Do not allow this client to communicate with unauthenticated servers.
    return false;
}

Answer 2

1. 您需要x509自我证书才能创建简单的下载pluralsight self cert
2. 生成image
中的证书
3. 创建新网站，选择wcf服务。
4. 添加解决方案新的控制台应用程序，以测试我们的服务。

5. 在service put configuration的web.config中：

   <?xml version="1.0"?>
   <configuration>
    <system.serviceModel>
   <behaviors>
       <serviceBehaviors>
           <behavior name="ServiceCredentialsBehavior">
               <serviceCredentials>
                   <serviceCertificate findValue="cn=cool" storeName="TrustedPeople" storeLocation="CurrentUser" />
               </serviceCredentials>
               <serviceMetadata httpGetEnabled="true" />
           </behavior>
       </serviceBehaviors>
   </behaviors>
   <services>
       <service behaviorConfiguration="ServiceCredentialsBehavior" name="Service">
           <endpoint address="" binding="wsHttpBinding" bindingConfiguration="MessageAndUserName" name="SecuredByTransportEndpoint" contract="IService"/>
       </service>
   </services>
   <bindings>
       <wsHttpBinding>
           <binding name="MessageAndUserName">
               <security mode="Message">
                   <message clientCredentialType="UserName"/>
               </security>
           </binding>
       </wsHttpBinding>
   </bindings>
   <client/>
   

       

6. 在Service类中，删除现有方法并添加：

   public string TestAccess（） {  return OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name; }

7. 在IService中删除数据合同，删除操作合同并添加新的操作合同：

   [OperationContract的]
   public string TestAccess（）;

8. 运行服务并在客户端应用程序中将服务引用添加到我们的服务

9. 客户端配置：

   <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <system.serviceModel>
     <behaviors>
       <endpointBehaviors>
           <behavior name="LocalCertValidation">
               <clientCredentials>
                   <serviceCertificate>
                       <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" />
                   </serviceCertificate>
               </clientCredentials>
           </behavior>
       </endpointBehaviors>
   </behaviors>
   <bindings>
       <wsHttpBinding>
           <binding name="WSHttpBinding_IService" >
               <security mode="Message">
                   <message clientCredentialType="UserName" />
               </security>
           </binding>
       </wsHttpBinding>
   </bindings>
   <client>
       <endpoint address="your service addresss"
                 binding="wsHttpBinding"
                 bindingConfiguration="WSHttpBinding_IService"
                 contract="ServiceReference1.IService"
                 name="WSHttpBinding_IService" behaviorConfiguration="LocalCertValidation">
           <identity>
               <dns value ="cool" />
           </identity>
       </endpoint>
   </client>
   

10. 客户代码：

    ServiceClient client = new ServiceClient（）;
    client.ClientCredentials.UserName.UserName =“你的windows用户”;
    client.ClientCredentials.UserName.Password =“您的Windows用户密码”;
    Console.WriteLine（client.TestAccess（））;
    到Console.ReadLine（）;
    

11. 如果您不想使用Windows登录名/密码，则必须创建自定义用户/密码验证器->msdn：
    的此致
    
    的的Sergiu。