TL; DR-IIS,服务器组件和工作站客户端组件上的WCF应用程序都在寻找带有已过期且随后不受信任的指纹的证书。无法找出禁用证书验证的位置。
详细信息:
我已经阅读了数十篇有关使用WCF实施SSL的文章,但是找不到有关替换WCF服务器和客户端应用程序用来验证通信的SSL证书的任何文章。
我遇到的困境是我正在使用一年前停业的软件,并且我们的客户信息已锁定在旧应用程序内部。此后大约两年前,我们已经转移到新的供应商那里进行记录管理,但是我们不时回到旧系统中参考信息,因此系统只是以只读角色存在。
记录管理系统由... -后端SQL Server -前端IIS服务器和应用程序服务。 IIS服务器具有在.NET 4模式下运行的多个应用程序池。应用程序服务是所有Windows服务,它们在前端服务器启动时自动启动。
该系统以前是面向互联网的,现在已经不复存在了,我已经切断了与外界的所有访问,您必须位于同一局域网或前端服务器的控制台中才能使用客户端应用程式。由于以前是面向Internet的,因此它得到了主要CA的SSL证书的保护,并且信誉良好,直到大约两周前SSL证书过期为止。现在,当我尝试启动客户端应用程序时出现以下错误……“令牌验证失败。X.509证书CN = fqdn_of_frontend_server,OU = CA_that_issued链建立失败。所使用的证书具有一个信任链,无法验证。替换证书或更改certificateValidationMode。根据当前系统时钟或签名文件中的时间戳进行验证时,所需的证书不在其有效期内。”
在您说……之前,为什么不将应用程序和数据库服务器上的系统时钟回滚到证书有效的时间?” ...因为我不想在任何时候都需要干预的情况下,在计算机上装有客户端应用程序的50个人中的任何一个想要使用它。不可避免地,该日期将继续超过SSL过期的日期,并且我们属于受管制的行业,因此,如果审核员要求访问旧系统的访问日志并且该日期不是正确的日期,则我将搜索一个新工作。
我购买了一个新的受信任的CA SSL证书,并将其安装到IIS中,并将其绑定到运行IIS应用程序池的默认网站(唯一的网站)。这样做不起作用,客户端应用仍在寻找旧版SSL证书的指纹。
那么这件事有三方面?前端服务器运行IIS应用程序池和Windows服务,最后一侧是客户端应用程序。
从前端服务器Windows服务server.exe.config文件中...
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="Mfg.Industry.BasicHttpBinding.Configuration.Open" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
<appSettings>
<add key="ConfigurationServiceUrl" value="http://fqdn_of_frontend_server/Name_of.ConfigurationService" />
<add key="ConfigurationServiceEncryptionKey" value="some_96_character_long_scrambled_key" />
<add key="ApplicationName" value="App Server" />
<add key="LocalHostName" value="fqdn_of_frontend_server" />
<add key="RedirectToLocalHost" value="False" />
<add key="WCF_STSConnection_Binding_Type" value="BasicHttpBinding" />
<add key="WCF_STSConnection_Binding_Configuration_Name" value="Mfg.Industry.BasicHttpBinding.Configuration.Open" />
<add key="WCF_InteractionProcessingConnection_Binding_Type" value="BasicHttpBinding" />
<add key="WCF_InteractionProcessingConnection_Binding_Configuration_Name" value="Mfg.Industry.BasicHttpBinding.Configuration.Open" />
<add key="FilterCheckPeriod" value="60" />
<add key="ACEVerificationPeriod" value="5" />
<add key="TestReachingQueueWaitingTime" value="500" />
<add key="ApplicationIdleTimeout" value="300" />
<add key="TestMessageSize" value="30" />
<add key="PRCServiceCalculationWaitingTime" value="1" />
<add key="PRCVerificationPeriod" value="1" />
<add key="CommunityWebsiteUrl" value="https://some_link_now_defunct_to_Mfg/Contact-Support/" />
<add key="ACTGVerificationPeriod" value="5" />
<add key="ACTG_AR_VerificationPeriod" value="5" />
</appSettings>
</configuration>
从前端服务器IIS应用程序池web.config文件中...
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<configSections>
<section name="ConfigurationService.Encryption" type="System.Configuration.NameValueSectionHandler" />
</configSections>
<appSettings configSource="AppSettings.config">
</appSettings>
<ConfigurationService.Encryption configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>some_172_character_key</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>some_460_character_key</CipherValue>
</CipherData>
</EncryptedData>
</ConfigurationService.Encryption>
<system.web>
<httpCookies httpOnlyCookies="true" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="20" slidingExpiration="true" />
</authentication>
<sessionState mode="InProc" timeout="20" />
<!--<customErrors mode="On" defaultRedirect="Error"/>-->
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="RoleManager" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<defaultDocument>
<files>
<clear />
<add value="" />
</files>
</defaultDocument>
</system.webServer>
<runtime>
omitted
</runtime>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthentication" />
<binding name="BasicHttpBinding_ICertificateValidator" />
<binding name="BasicHttpBinding_IAuthorization" />
<binding name="SecurityFrameworkSoap" />
<binding name="SecurityAdministrationSoap" />
<binding name="SecurityPolicySoap" />
<binding name="SecuritySynchronizationSoap" />
</basicHttpBinding>
</bindings>
<client>
<endpoint binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAuthentication" contract="StsAuthentication.IAuthentication" name="BasicHttpBinding_IAuthentication" />
<endpoint binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAuthorization" contract="STSAuthorization.IAuthorization" name="BasicHttpBinding_IAuthorization" />
<endpoint binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ICertificateValidator" contract="STSCertVldtr.ICertificateValidator" name="BasicHttpBinding_ICertificateValidator" />
<endpoint binding="basicHttpBinding" bindingConfiguration="SecurityAdministrationSoap" contract="SecAdmin.SecurityAdministrationSoap" name="SecurityAdministrationSoap" />
<endpoint binding="basicHttpBinding" bindingConfiguration="SecurityPolicySoap" contract="SecPolicy.SecurityPolicySoap" name="SecurityPolicySoap" />
<endpoint binding="basicHttpBinding" bindingConfiguration="SecuritySynchronizationSoap" contract="SecSync.SecuritySynchronizationSoap" name="SecuritySynchronizationSoap" />
<endpoint binding="basicHttpBinding" bindingConfiguration="SecurityFrameworkSoap" contract="SF.SecurityFrameworkSoap" name="SecurityFrameworkSoap" />
</client>
</system.serviceModel>
</configuration>
从客户端应用程序的appname.exe.config文件中...
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="exceptionHandling" type="Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Configuration.ExceptionHandlingSettings, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0ccaa1d06491a513" />
<section name="securityCryptographyConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Configuration.CryptographySettings, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0ccaa1d06491a513" />
<section name="informationMonitoringSynchronization" type="System.Configuration.NameValueFileSectionHandler" />
<section name="assembliesToJIT" type="System.Configuration.NameValueFileSectionHandler" />
<section name="loggingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.LoggingSettings, Microsoft.Practices.EnterpriseLibrary.Logging, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0ccaa1d06491a513" />
</configSections>
<appSettings>
<add key="WCF_Base_URL" value="net.tcp://localhost:{0}/Allscripts.Homecare/Services/{1}/{2}" />
<add key="WCF_Hosting_Binding_Configuration_Name" value="Mfg.Industry.NetTcpBinding.Configuration.Open" />
<add key="WCF_Hosting_Binding_Type" value="NetTcpBinding" />
<add key="SLPingTimeout" value="2" />
<add key="WCF_Hosting_Start_Port" value="2222" />
<add key="WCF_Hosting_End_Port" value="9199" />
</appSettings>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="bin" />
</assemblyBinding>
</runtime>
<exceptionHandling>
<exceptionPolicies>
<add name="Authentication Exception Policy">
<exceptionTypes>
<add name="AuthenticationException" type="Mfg.Industry.Security.Framework.Facade.AuthenticationException, Mfg.Industry.Security.Framework.Facade, Version=17.2.0.163, Culture=neutral, PublicKeyToken=c5afe0c9031f3768" postHandlingAction="NotifyRethrow">
<exceptionHandlers />
</add>
<add name="Exception" type="System.Exception, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" postHandlingAction="NotifyRethrow">
<exceptionHandlers />
</add>
</exceptionTypes>
</add>
<add name="Unhandled Exception Policy">
<exceptionTypes>
<add name="Exception" type="System.Exception, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" postHandlingAction="NotifyRethrow">
<exceptionHandlers>
</exceptionHandlers>
</add>
<add name="IndustryException" type="Mfg.Industry.IndustryException, Mfg.Industry.Lib, Version=17.2.0.163, Culture=neutral, PublicKeyToken=c5afe0c9031f3768" postHandlingAction="NotifyRethrow">
<exceptionHandlers>
</exceptionHandlers>
</add>
</exceptionTypes>
</add>
<add name="User Services Exception Policy">
<exceptionTypes>
<add name="Exception" type="System.Exception, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" postHandlingAction="None">
<exceptionHandlers>
</exceptionHandlers>
</add>
</exceptionTypes>
</add>
</exceptionPolicies>
</exceptionHandling>
<securityCryptographyConfiguration>
<hashProviders>
<add algorithmType="System.Security.Cryptography.MD5CryptoServiceProvider, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" saltEnabled="false" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.HashAlgorithmProvider, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null" name="MD5CryptoServiceProvider" />
</hashProviders>
</securityCryptographyConfiguration>
<informationMonitoringSynchronization>
<add key="BatchSize" value="15" />
<add key="CompressionEnabled" value="True" />
<add key="MultithreadingEnabled" value="False" />
</informationMonitoringSynchronization>
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
<assembliesToJIT>
<add key="MfgIndustrySecurityCommon" value="Mfg.Industry.Security.Common" />
<add key="MfgIndustrySecurityFramework" value="Mfg.Industry.Security.Framework" />
<add key="MfgIndustrySecurityWebServicesClient" value="Mfg.Industry.Security.WebServices.Client" />
<add key="MfgIndustrySecurityFrameworkFacade" value="Mfg.Industry.Security.Framework.Facade" />
<add key="MfgIndustrySecurityAdministrationCommon" value="Mfg.Industry.Security.Administration.Common" />
<add key="MfgIndustrySynchronization" value="Mfg.Industry.Synchronization" />
<add key="MfgIndustrySynchronizationData" value="Mfg.Industry.Synchronization.Data" />
<add key="MfgIndustryDFAClient" value="Mfg.Industry.DFA.Client" />
<add key="MfgIndustryDFAFramework" value="Mfg.Industry.DFA.Framework" />
<add key="EligibilityWebClient" value="Mfg.Industry.Eligibility.WebClient" />
<add key="InformationMonitoring" value="Mfg.Industry.InformationMonitoring" />
<add key="EligibilityClient" value="Mfg.Industry.Eligibility.Client" />
<add key="SplitBillingRule" value="Mfg.Industry.SplitBillingRule" />
<add key="EventManagerClient" value="Mfg.Industry.EventManager.Client" />
<add key="MfgIndustrySanctionImportClient" value="Mfg.Industry.SanctionImport.Client" />
<add key="MfgIndustryTestInterfaces" value="Mfg.Industry.TestInterfaces" />
<add key="MfgIndustryOpenAPIClient" value="Mfg.Industry.OpenAPI.Client" />
<add key="MfgIndustryCommonDefinitionData" value="Mfg.Industry.Common.DefinitionData" />
<add key="InfomaticsMisc" value="Infomatics2.Win.Misc.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsGrid" value="Infomatics2.Win.UltraWinGrid.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsEditors" value="Infomatics2.Win.UltraWinEditors.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsFolio" value="Infomatics2.Win.UltraWinFolio.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsFolio63" value="Infomatics2.Win.UltraWinFolio.v6.3, Version=6.3.20063.1091, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsTab" value="Infomatics2.Win.UltraWinTabControl.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsWin" value="Infomatics2.Win.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsTree" value="Infomatics2.Win.UltraWinTree.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="InfomaticsShared" value="Infomatics2.Shared.v6.1, Version=6.1.20061.28, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb" />
<add key="DevExpressUtils" value="DevExpress.Utils, Version=2.1.4.0, Culture=neutral, PublicKeyToken=79868b8147b5eae4" />
<add key="DevExpressEditors" value="DevExpress.XtraEditors, Version=2.1.4.0, Culture=neutral, PublicKeyToken=79868b8147b5eae4" />
<add key="CommonControls" value="Mfg.Industry.Forms.Controls" />
<add key="MfgIndustryDFAClientData" value="Mfg.Industry.DFA.Client.Data" />
<add key="MfgIndustryDFAClientDataFacade" value="Mfg.Industry.DFA.Client.Data.Facade" />
<add key="MfgIndustryDFAClientSharedInterfaces" value="Mfg.Industry.DFA.Client.SharedInterfaces" />
<add key="InformationMonitoringData" value="Mfg.Industry.InformationMonitoring.Data" />
<add key="Eligibility" value="Mfg.Industry.Eligibility" />
<add key="EligibilityCommon" value="Mfg.Industry.Eligibility.Common" />
<add key="OnboardAndStatusConfiguration" value="Mfg.Industry.EventManager.OnboardAndStatusConfiguration" />
<add key="EventManagerClientCommon" value="Mfg.Industry.EventManager.Client.Common" />
<add key="EventManagerCommon" value="Mfg.Industry.EventManager.Common" />
<add key="MfgIndustryFormsControls" value="Mfg.Industry.Forms.Controls" />
<add key="MfgIndustryHelpManagerHelpClient" value="Mfg.Industry.HelpManager.HelpClient" />
<add key="MfgIndustryPayrollCommon" value="Mfg.Industry.Payroll.Common" />
<add key="MfgIndustryReportCommon" value="Mfg.Industry.Report.Common" />
</assembliesToJIT>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="Mfg.Industry.NetTcpBinding.Configuration.Open" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" hostNameComparisonMode="StrongWildcard" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
<loggingConfiguration name="Logging Application Block" tracingEnabled="true" defaultCategory="General" logWarningsWhenNoCategoriesMatch="true">
<listeners>
<add listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.CustomTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0ccaa1d06491a513" traceOutputOptions="None" type="Mfg.Industry.Plugin.Diagnostics.DebugTraceListener, Mfg.Industry.Plugin.Diagnostics" name="DebugTraceListener" initializeData="" formatter="" />
</listeners>
<categorySources>
<add switchValue="All" name="General" />
</categorySources>
<specialSources>
<allEvents switchValue="All" name="All Events">
<listeners>
<add name="DebugTraceListener" />
</listeners>
</allEvents>
<notProcessed switchValue="All" name="Unprocessed Category" />
<errors switchValue="All" name="Logging Errors & Warnings" />
</specialSources>
</loggingConfiguration>
</configuration>
仅禁用WCF证书验证我需要编辑哪些文件?我已经尝试过诸如...
<configuration>
<system.net>
<settings>
<servicePointManager checkCertificateName="false" checkCertificateRevocationList="false" />
</settings>
</system.net>
</configuration>
我一直遇到路障。最终,我想使用我购买的新SSL证书,但这意味着我有一天将不得不再次执行此过程,所以我不妨完全关闭证书验证。