有很多人在这里问一些相同的问题。但很少有答案,或成功的报告。服务器是第三方,所以我不知道他们的配置,但他们确实报告了他们在日志中找到的内容:
他们在日志中看到的唯一一件事是这个错误。 “基于IP来自它的DEV环境,但是没有有效载荷,并且为了进入调试,URL没有正确形成。”
节点: 时间:20150105 10:21:45.798 严重程度:警告 请求ID:00000149c32c8869-3801 消息:消息已成功处理
事件类型:消息摘要 客户IP:56.6.66.6 服务:Catch-all调试服务[/ *] 操作:null Rqst长度:0 响应长度:0 响应状态:0 响应时间:0ms 用户身份 : 用户名:null
这是完整的故事,
调用https服务器上的WebService时,我从未遇到过任何问题。但它们具有ip安全性以及证书安全性(无用户名和密码安全性)
奇怪的是他们发送物理.wsdl文件时,通常我使用visual studio,指向他们,所有人都准备好了。不是这种情况。我不得不在本地添加文件,并在本地指向它们c:\ project \ Server References \ file.wsdl并且所有内容都填充正常。
我已经搜索了大约10个关于如何实现这一目标的例子(都有些变化)。当然,这可以通过配置更少(所有代码)或配置中定义的所有内容来完成。它也可以在控制台应用程序或Web应用程序中完成。出于理智的目的,我更喜欢控制台,但我两个都只是包围。
P.S。我们将SSL证书和权限作为客户端,并在没有私钥的情况下向他们发送SSL证书。
P.S.S我使用过Wireshark和Fiddler。 Wireshark以纯文本形式显示8443端口上的TCP连接和url,但数据部分似乎太小而无法容纳证书(但这只是打开的调用才能正常工作吗?)
http://tinypic.com/r/34ihld4/8(wireshark屏幕截图)
http://tinypic.com/r/14jrbx3/8(wsclient in watch)
Fiddler展示了“成功的握手”
这是我正在使用的“少配置代码”
ws.AccountInfo ai = new ws.AccountInfo();
ws.BasicAccountInfo[] info = new ws.BasicAccountInfo[10];
ws.ProductAndService PaS = new ws.ProductAndService();
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Ssl3 //have tried them all | System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
myBinding.ReaderQuotas.MaxArrayLength = int.MaxValue;
myBinding.MaxReceivedMessageSize = int.MaxValue;
myBinding.UseDefaultWebProxy = false;
EndpointAddress ea = new EndpointAddress("https://www.some-company.com:8443/DSMProgramsV4/PgnDSMProgramsService"); //odly no .svc ending
ws.PgnDSMProgramsServiceClient wsclient = new ws.PgnDSMProgramsServiceClient(myBinding,ea);
// Specify a certificate to use for authenticating the client.
wsclient.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.My, X509FindType.FindByIssuerName, "Network Solutions DV Server CA");//the cert i want is found under this name for example www.somesite.com is found and shows up in watch in wsclient below
string s = "";
try
{
wsclient.Open();//success always
info = wsclient.GetAccountList("9999", "TEST", "99999999");
wsclient.Close();
}
catch(Exception ex)
{
s = ex.Message;// hang and error happens on GetAccount List
}
Console.Write(s);
Console.Write(info[0].ToString());//if we were ever successful, never are though
我得到的错误是向https://www.some-company.com:8443/DSMProgramsV4/PgnDSMProgramsService发出HTTP请求时发生错误。这可能是由于在HTTPS情况下未使用HTTP.SYS正确配置服务器证书。这也可能是由于客户端和服务器之间的安全绑定不匹配引起的。底层连接已关闭:发送时发生意外错误。由于远程方已关闭传输流,验证失败
我永远无法接受这条消息
我也尝试过使用ChannelFactory
ws.AccountInfo ai = new ws.AccountInfo();
ws.BasicAccountInfo[] info = new ws.BasicAccountInfo[10];
ws.ProductAndService PaS = new ws.ProductAndService();
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Ssl3;
string address = "https://www.some-company.com:8443/DSMProgramsV4/PgnDSMProgramsService";
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
ChannelFactory<ws.PgnDSMProgramsService> factory = new ChannelFactory<ws.PgnDSMProgramsService>(binding, address);
factory.Credentials.ClientCertificate.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine, System.Security.Cryptography.X509Certificates.StoreName.My, System.Security.Cryptography.X509Certificates.X509FindType.FindByIssuerName, "Network Solutions DV Server CA");
ws.PgnDSMProgramsService client = factory.CreateChannel();
var infoz = client.GetAccountList("9999", "TEST", "999999");
也没有运气,同样的错误信息。
我尝试了各种各样的web.config和app.config,就像下面这样简单:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="CustomerEndpointBehavior" >
<clientCredentials supportInteractive="True">
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="www.our-cert.org" />
<!-- <serviceCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
<sslCertificateAuthentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
</serviceCertificate>-->
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="CustomerBindingConfig">
<!-- closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom" textEncoding="utf-8" useDefaultWebProxy="false" allowCookies="false" > -->
<!-- <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> -->
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://www.some-company.com:8443/DSMProgramsV4/PgnDSMProgramsService"
binding="basicHttpBinding" bindingConfiguration="CustomerBindingConfig" behaviorConfiguration="CustomerEndpointBehavior"
contract="ws.PgnDSMProgramsService" name="serviceEndpoint" />
</client>
更复杂的
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="CustomerEndpointBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="www.our-cert.org" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="CustomerBindingConfig" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://www.some-company.com:8443/DSMProgramsV4/PgnDSMProgramsService" binding="wsHttpBinding" bindingConfiguration="CustomerBindingConfig" behaviorConfiguration="CustomerEndpointBehavior" contract="ws.PgnDSMProgramsService" name="serviceEndpoint" />
</client>
不像我一直在做尽职调查,见下文
http://www.codeproject.com/Articles/36705/7-simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi
http://msdn.microsoft.com/en-us/library/ms789011.aspx
http://www.codeproject.com/Articles/18601/An-easy-way-to-use-certificates-for-WCF-security
http://blogs.ugidotnet.org/cfolini/archive/2008/01/04/90561.aspx
http://www.codeproject.com/Articles/348595/Use-Mutual-SSL-Authentication-in-WCF
答案 0 :(得分:1)
如果您还没有,则应启用WCF跟踪,这可能有助于确定WCF安全问题的根本原因。我们发现WCF跟踪日志将揭示以前“隐藏”的问题。
http://msdn.microsoft.com/en-us/library/ms733025(v=vs.110).aspx
答案 1 :(得分:1)
不幸的是,这不是主持人可能想要删除这个问题的答案,仍然希望对那些有帮助的人表示赞赏。服务器端(我无法控制其他电话)必须使用不同的端口4443而不是8443用于TLS(ps分配的地方已禁用SSL,并且标记为我在分配问题时的问题的答案的地方)
答案 2 :(得分:1)
由于在这种情况下我只是WCF客户端,所以我无能为力。显然SoapUI可以帮助证明它有效。但是如果你在.NET中开发并使用WCF并不能帮到你。客户使用Layer7中间件XML硬件设备也使问题复杂化。最后,我必须创建一个特定的自定义内容:
<customBinding>
<binding name="Secured">
<textMessageEncoding messageVersion="Soap11"/>
<httpsTransport authenticationScheme="Anonymous" realm="" requireClientCertificate="true"/>
</binding>
似乎从Soap1.2“回滚”了
另外,我给他们的IP地址是一个问题。我的网站在IIS中,并且在一个绑定到Web园ip的工作进程下。在外部,如果你做一个nslookup,它的结果是205.14.55.250,例如我的域名。但是当添加代码来获取我的外部IP地址时,它实际上正在使用另一个ip 205.14.55.251(未分配给我的IIS中的任何网站)
这两个变化解决了问题