以下是简要总结: 我有一个WCF客户端(.NET 4.0)在Windows 7(64位)上表现良好,但在XP(32位)上失败。由于我有很多XP客户,这是一个很大的问题。
以下是代码:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
//System.Net.ServicePointManager.SecurityProtocol =System.Net.SecurityProtocolType.Tls;//.Ssl3;
EndpointAddress addr = new EndpointAddress(g2bservice);
B2GServiceClient client = new B2GServiceClient(NCTSBinding.Create(), addr);
client.ClientCredentials.ClientCertificate.Certificate = ccer; // one that is on SmartCard
client.Endpoint.Behaviors.Add(new MyCustomBehavior());
echo e = new echo();
e.Msg = "Hello, World!";
echoResponse r = client.echo(e);
并且这样的绑定是这样创建的:
BindingElement[] be = new BindingElement[2];
be[0] = new NCTSMessageEncodingBindingElement();
HttpsTransportBindingElement hbe = new HttpsTransportBindingElement();
hbe.RequireClientCertificate = true;
be[1] = hbe;
CustomBinding _b = new CustomBinding(be);
return _b;
其中NCTSMessageEncodingBinding与覆盖IsContentTypeSupported(...)的MtomMessageEncodingBinding相同。
因此,此代码适用于Win7,对话框要求PIN从智能卡获取“私有部分”。 在XP上,永远不会发出输入PIN的对话框,而是出现错误信息:
"An error occurred while making the HTTP request to https://cistest.apis-it.hr:8446/g2bservis. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."
有什么线索吗? XP和Win7之间的支持基础架构有何不同?
小更新: 请注意工作和非工作跟踪日志不同的粗体线。出于某种原因,在Windows 7机器初始消息中包含消息中的服务名称(cistest.apis-it.hr),而在XP上则缺少此信息。在此消息之后,XP上的套接字已关闭...
Windows 7, working example (same code):
System.Net Information: 0 : [3748] SecureChannel#23960260 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [3748] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [3748] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = cistest.apis-it.hr, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3748] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=122, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [3748] Socket#46340781::Send()
System.Net.Sockets Verbose: 0 : [3748] Data from Socket#46340781::Send
System.Net.Sockets Verbose: 0 : [3748] 00000000 : 16 03 01 00 75 01 00 00-71 03 01 4E 67 4E 6A 26 : ....u...q..NgNj&
System.Net.Sockets Verbose: 0 : [3748] 00000010 : C6 C9 65 17 D7 EC C1 A1-15 72 E1 56 80 F4 5A BB : ..e......r.V..Z.
System.Net.Sockets Verbose: 0 : [3748] 00000020 : A8 4C 50 54 84 D4 3E 86-29 68 CA 00 00 18 00 2F : .LPT..>.)h...../
System.Net.Sockets Verbose: 0 : [3748] 00000030 : 00 35 00 05 00 0A C0 13-C0 14 C0 09 C0 0A 00 32 : .5.............2
System.Net.Sockets Verbose: 0 : [3748] 00000040 : 00 38 00 13 00 04 01 00-00 30 FF 01 00 01 00 00 : .8.......0......
System.Net.Sockets Verbose: 0 : [3748] 00000050 : 00 00 17 00 15 00 00 12-63 69 73 74 65 73 74 2E : ........cistest.
System.Net.Sockets Verbose: 0 : [3748] 00000060 : 61 70 69 73 2D 69 74 2E-68 72 00 0A 00 06 00 04 : apis-it.hr......
System.Net.Sockets Verbose: 0 : [3748] 00000070 : 00 17 00 18 00 0B 00 02-01 00 : ..........
System.Net.Sockets Verbose: 0 : [3748] Exiting Socket#46340781::Send() -> 122#122
XP, not working example (same code):
System.Net Information: 0 : [2272] SecureChannel#7307181 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [2272] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [2272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = cistest.apis-it.hr, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [2272] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=77, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Send()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Send
System.Net.Sockets Verbose: 0 : [2272] 00000000 : 16 03 01 00 48 01 00 00-44 03 01 4E 67 4E 1E C1 : ....H...D..NgN..
System.Net.Sockets Verbose: 0 : [2272] 00000010 : 32 BD E0 57 87 A8 68 8B-32 77 00 18 DE 3F 69 3D : 2..W..h.2w...?i=
System.Net.Sockets Verbose: 0 : [2272] 00000020 : D7 B1 7B 76 AD 26 A6 63-6B BB 49 00 00 16 00 04 : ..{v.&.ck.I.....
System.Net.Sockets Verbose: 0 : [2272] 00000030 : 00 05 00 0A 00 09 00 64-00 62 00 03 00 06 00 13 : .......d.b......
System.Net.Sockets Verbose: 0 : [2272] 00000040 : 00 12 00 63 01 00 00 05-FF 01 00 01 00 : ...c.........
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Send() -> 77#77
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Receive()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Receive
System.Net.Sockets Verbose: 0 : [2272] 00000000 : 15 03 01 00 02 : .....
...
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Receive() -> 5#5
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Receive()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Receive
System.Net.Sockets Verbose: 0 : [2272] 00000005 : 02 28 : .(
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Receive() -> 2#2
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Receive()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Receive
System.Net.Sockets Verbose: 0 : [2272] 00000007 : :
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Receive() -> 0#0
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Dispose()
答案 0 :(得分:1)
嗯,经过一个月左右的时间试图解决这个问题,结论是这个问题无法解决。至少它不能通过本机.NET和OS支持来解决。 Windows XP显然太旧了,微软无法支持AES 256位加密,使用RSA进行SHA 256位签名以进行密钥交换。世界上有40%的用户仍在使用XP,所以这个决定真的很奇怪。
这样的支持被添加到Windows server 2003中(我试图将schannel.dll和rsaenh.dll从2003添加到XP,一些进展但远非理想的。)
官方高级技术支持的答案是:“目前情况看起来并不乐观,过去有另一位客户要求提供XP版KB知识库文章948963,但此请求被拒绝我们的产品组。这些安全功能是在Vista中引入的,两个平台之间6到7年的差异使得很难对XP进行更改。“
因此,对于SOAP和WebServices,我会不推荐.NET,至少不适用于不控制双方的企业服务。
感叹!