我有一个基于证书的相互(双向)SSL WCF RESTful服务,它托管在一个Windows应用程序中。服务器使用绑定自签名证书的端口。证书存在于“我的”商店的“LocalMachine”中。在同一个“我的”商店也是客户端证书。客户端和服务器证书的名称与计算机名称相同。客户端和服务器配置如下:
客户端:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<webHttp />
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint" storeName="My" findValue="F50C62754783EC741F6E84E25888D17CBC145691" />
<serviceCertificate>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="WebHttpBinding_Conf">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<client>
<endpoint address="https://mymachine:8088/Service" behaviorConfiguration="ClientBehavior"
binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf"
contract="RESTfulLib.IService" name="WebHttpBinding_NAme" />
</client>
服务器
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="7975794831242F2D39ED3B1BC8323EAF5DA2CA11" storeName="My"/>
</serviceCredentials>
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="WebHttpBinding_Conf">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="RESTfulLib.Service" behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="https://mymachine:8088/Service"/>
</baseAddresses>
</host>
<endpoint address="" behaviorConfiguration="web" binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf" contract="RESTfulLib.IService">
</endpoint>
</service>
</services>
但是,我在SSL握手期间遇到了这个错误:
The HTTP request was forbidden with client authentication scheme 'Anonymous'.
启用详细的WCF日志会显示我们在握手过程中出现此错误:
System.Net Error: 0 : [11504] Decrypt returned SEC_I_RENEGOTIATE.
我尝试了设置,但这也无济于事:
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
证书也被复制到受信任的根CA存储,并且有一个ServicePointManager.ServerCertificateValidationCallback,在所有情况下都返回true(!)
任何答案都将不胜感激。 谢谢!
答案 0 :(得分:0)
由于您的证书是自签名的,您必须为您的客户提供一些额外的代码。
在实施WCF客户端之前,您应该添加:
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
TrustAllCertificatesCallback是一种执行服务证书验证的回调方法。这是一个示例:
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
X509Certificate2 certificate = new X509Certificate2(cert);
return certificate.Verify();
}
您还必须在受信任的根证书颁发机构证书存储区中安装证书,最后添加到客户端端点配置中:
<client>
<endpoint address="https://mymachine:8088/Service" behaviorConfiguration="ClientBehavior"
binding="webHttpBinding" bindingConfiguration="WebHttpBinding_Conf"
contract="RESTfulLib.IService" name="WebHttpBinding_NAme">
<identity>
<dns value="<<<your certificate name>>>" />
</identity>
</endpoint>
</client>
您必须确保您的证书已正确安装并配置为可以访问:
您首先必须在本地计算机 Peronnal商店中导入证书的私钥,而不是在当前用户Personnal商店中。如果服务帐户必须使用证书,这一点很重要。
如果您使用自签名证书,请确保公共证书已安装在本地计算机受信任的根颁发机构商店中。
允许用户访问您的证书:右键单击私人证书(本地计算机/个人),然后选择“所有任务”,然后选择“管理私钥”。