结合使用Certificate和UserName在WCF中使用basicHttpsBinding进行客户端身份验证,以传递反向代理身份验证

时间:2019-03-12 10:53:48

标签: c# wcf ssl

我正在尝试连接到非标准环境中的Web服务。

在具有Web Service的IIS服务器之前,我有一个反向代理服务器,该服务器需要客户端证书来验证连接。之后,Web服务本身需要其他UserName身份验证。此外,Web Service使用带有流传输模式的basicHttpsBinding,因为需要发送非常大的二进制文件(最大1GB)。

问题是我无法在客户端上使用它。我尝试在客户端使用以下绑定安全性配置:

<security mode="TransportWithMessageCredential">
  <transport clientCredentialType="Certificate" />
  <message clientCredentialType="UserName" />
</security>

证书本身随附在代码中:

client.ClientCredentials.ClientCertificate.SetCertificate(
  System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser, System.Security.Cryptography.X509Certificates.StoreName.My,
  System.Security.Cryptography.X509Certificates.X509FindType.FindByThumbprint, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");

不幸的是,我收到了SecurityNegotiationException:无法为具有权限“ xxx”的SSL / TLS建立安全通道。当我用Wireshark检查捕获的网络流量时,我可以看到,在服务器的证书请求客户端之后没有发送任何证书:

Transmission Control Protocol, Src Port: 8325, Dst Port: 443, Seq: 174, Ack: 3566, Len: 197
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 141
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 3
            Certificates Length: 0
        Handshake Protocol: Client Key Exchange
    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

但是,如果我仅切换到传输安全模式:

<security mode="Transport">
  <transport clientCredentialType="Certificate" />
  <message clientCredentialType="UserName" />
</security>

证书已通过:

Transmission Control Protocol, Src Port: 8894, Dst Port: 443, Seq: 174, Ack: 3566, Len: 3215
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 3159
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 2757
            Certificates Length: 2754
            Certificates (2754 bytes)
                Certificate Length: 1261
                Certificate: 308204e9308203d1a003020102020e78d7243f087eb6a900... (pkcs-9-at-emailAddress=xxx@domain,id-at-commonName=xxx)
                Certificate Length: 1487
                Certificate: 308205cb308203b3a003020102020e1882d07958679ac300... (id-at-commonName=xxx,id-at-organizationalUnitName=xxx,id-at-organizationName=xxx,id-at-countryName=xxx)
        Handshake Protocol: Client Key Exchange
        Handshake Protocol: Certificate Verify
    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

现在,通信由反向代理转发,但被IIS拒绝,但以下情况除外:

System.ServiceModel.Security.MessageSecurityException:安全处理器无法在消息中找到安全标头。这可能是因为该消息是不安全的故障,或者是由于通信双方之间存在绑定不匹配。如果将服务配置为具有安全性,并且客户端未使用安全性,则会发生这种情况。

这很清楚,因为我明确关闭了消息凭据。

不幸的是,如果使用TransportWithMessageCredentials安全模式的basicHttpsBinding支持或不支持用于传输的证书和用于消息身份验证的用户名,我无法找到任何准确的信息。

有人尝试过类似的配置吗?例如,我发现了以下文章How to setup a WCF service using basic Http bindings with SSL transport level security,但没有显示如果服务器端的代理请求一个证书,则如何附加特定的客户端证书。

我将非常感谢您提供任何提示。

1 个答案:

答案 0 :(得分:0)

据我所知,BasicHttpBinding支持用于传输的证书和用于消息认证的用户名。这是我之前写过的示例,希望它对您有用。
服务器(10.157.13.69,控制台应用程序)

class Program
    {
        static void Main(string[] args)
        {
            Uri uri = new Uri("https://localhost:11011");
            BasicHttpBinding binding = new BasicHttpBinding();
            binding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
            binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;

            using (ServiceHost sh = new ServiceHost(typeof(MyService), uri))
            {
                sh.AddServiceEndpoint(typeof(IService), binding, "");
                ServiceMetadataBehavior smb;
                smb = sh.Description.Behaviors.Find<ServiceMetadataBehavior>();
                if (smb == null)
                {
                    smb = new ServiceMetadataBehavior()
                    {
                        HttpsGetEnabled = true
                    };
                    sh.Description.Behaviors.Add(smb);
                }

                sh.Credentials.UserNameAuthentication.UserNamePasswordValidationMode = System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;
                sh.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = new CustUserNamePasswordVal();
                Binding mexbinding = MetadataExchangeBindings.CreateMexHttpsBinding();
                sh.AddServiceEndpoint(typeof(IMetadataExchange), mexbinding, "mex");

                sh.Opened += delegate
                {
                    Console.WriteLine("Service is ready");
                };
                sh.Closed += delegate
                {
                    Console.WriteLine("Service is clsoed");
                };


                sh.Open();

                Console.ReadLine();
                sh.Close();
                Console.ReadLine();
            }

        }
    }
    [ServiceContract]
    public interface IService
    {
        [OperationContract]
        string SayHello();
    }
    public class MyService : IService
    {
        public string SayHello()
        {
            return $"Hello Stranger,{DateTime.Now.ToLongTimeString()}";
        }
    }
    internal class CustUserNamePasswordVal : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (userName != "jack" || password != "123456")
            {
                throw new Exception("Username/Password is not correct");
            }
        }
    }

将证书绑定到端口。

netsh http add sslcert ipport=0.0.0.0:11011 certhash=6e48c590717cb2c61da97346d5901b260e983850 appid={ED4CE60F-6B2E-4EE6-828F-C1A6A1B12565}

客户端(通过添加服务引用来调用服务)

var client = new ServiceReference1.ServiceClient();
            client.ClientCredentials.UserName.UserName = "jack";
            client.ClientCredentials.UserName.Password = "123456";
            try
            {
                var result = client.SayHello();
                Console.WriteLine(result);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.ToString());
            }

App.config(自动生成)

    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="BasicHttpBinding_IService">
                    <security mode="TransportWithMessageCredential" />
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://10.157.13.69:11011/" binding="basicHttpBinding"
                bindingConfiguration="BasicHttpBinding_IService" contract="ServiceReference1.IService"
                name="BasicHttpBinding_IService" />
        </client>
</system.serviceModel>

如果有任何需要帮助的地方,请随时与我联系。