我有一个WCF服务,该服务当前接受具有MD5加密(兼容TLS 1.1)的证书,并且一个客户端可以使用上述证书来使用该服务。
但是,我们希望通过新证书(SHA-1加密)升级到TLS1.2,并能够接受两个证书以实现向后兼容性。
有什么方法可以实现?
WCF服务在配置文件中进行如下配置:
<system.serviceModel>
<services>
<service name="MyService" behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.Tcp://localhost:8004" />
<add baseAddress="http://localhost:8006" />
</baseAddresses>
</host>
<!-- Service Endpoints -->
<endpoint address="SomeService" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IService">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<client>
<endpoint address="net.Tcp://localhost:8001/AnotherService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IService" name="IRACService">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
</client>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="false" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<clientCertificate>
<certificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials>
<serviceThrottling maxConcurrentCalls="1000" maxConcurrentInstances="1000" maxConcurrentSessions="1000" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="netTcpBindingConf" closeTimeout="00:11:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="1000" openTimeout="00:20:00">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:15:00" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" algorithmSuite="Default" />
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
客户端在配置文件中的配置如下:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="bindingConfigName" closeTimeout="00:10:00" openTimeout="00:40:00" receiveTimeout="00:32:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" algorithmSuite="Default" />
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.Tcp://localhost:8004/SomeService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="bindingConfigName" contract="IService" name="ISomeService">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
<endpoint address="net.Tcp://localhost:8004/SomeService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="bindingConfigName" contract="IService" name="ISomeService2">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</endpointBehaviors>
</behaviors>
答案 0 :(得分:0)
TLS版本取决于应用程序的运行时和操作系统版本。
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
如果可能,我们可以在下面的代码段中指定TLS版本(这需要上面链接中描述的一些先决条件)。
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
我不建议这样做,如文档中所述。我们只需要确保应用程序可以在Dotnet framework4.7,上面的OS win7上运行,则TLS版本将优先于新的TLS版本。