使用SSL的WCF服务

时间:2011-12-19 07:16:04

标签: wcf ssl

我知道SSL证书用于应用程序的安全目的,因此数据传输应采用加密形式。据我所知,我们必须在主机服务器中为我们的应用程序安装SSL证书。

这些天我在WCF服务中工作。客户希望我们使用SSL证书进行WCF服务。

我想知道的是,在SSL证书的代码级别中需要做什么。我将在IIS中托管我的服务。

使用SSL证书配置WCF服务有哪些步骤?

我知道小知识总是危险的:(

请详细说明。

提前致谢。

1 个答案:

答案 0 :(得分:0)

要为2路SSL配置您的服务,请执行以下步骤:

  1. 创建一个映射了https绑定的网站。
  2. 当https绑定映射到网站时,它会要求提供服务器SSL证书,用于保护您的传输渠道。
  3. 创建一个您希望部署服务的虚拟目录。
  4. 现在,正在构建的WCF服务需要具有指定服务使用https的配置,并且使用证书对客户端进行身份验证。
  5. 在虚拟目录的SSL设置上将选项设置为“接受”,表明客户端可能传递证书。如果您将其设置为require,则客户需要传递证书。

    6. 注意:使用证书时,您需要确定需要在哪个证书库中安装哪个证书。您可能对自签名证书有一些例外,但可以使用以下代码在客户端上绕过它们:

    ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;

    有关如何实现自定义证书验证程序并使用它的一些代码:

    public class CustomX509CertificateValidator : System.IdentityModel.Selectors.X509CertificateValidator
    {
        // This Validation function accepts any X.509 Certificate that is self-issued. As anyone can construct such
        // a certificate this custom validator is less secure than the default behavior provided by the
        // ChainTrust X509CertificateValidationMode. The security implications of this should be carefully 
        // considered before using this validation logic in production code. 
        public override void Validate(X509Certificate2 certificate)
        {
            // Check that we have been passed a certificate
            if (certificate == null)
                throw new ArgumentNullException("certificate");

            // Only accept self-issued certificates
            if (certificate.Subject != certificate.Issuer)
                throw new SecurityTokenException("Certificate is not self-issued");
        }
    }

    现在在您的WCF服务配置文件中使用自定义证书验证器如下所示:

    <behaviors>
      <serviceBehaviors>
        <behavior name="CalculatorServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <!-- 
            The serviceCredentials behavior allows one to specify authentication constraints on client certificates.
            -->
            <clientCertificate>
              <!-- 
              Setting the certificateValidationMode to Custom means that if the custom X509CertificateValidator
              does NOT throw an exception, then the provided certificate will be trusted without performing any
              validation beyond that performed by the custom validator. The security implications of this 
              setting should be carefully considered before using Custom in production code. 
              -->
              <authentication certificateValidationMode="Custom" customCertificateValidatorType="X509CertificateValidator.CustomX509CertificateValidator, service"/>
            </clientCertificate>
            <!-- 
            The serviceCredentials behavior allows one to define a service certificate.
            A service certificate is used by a client to authenticate the service and provide message protection.
            This configuration references the "localhost" certificate installed during the setup instructions.
            -->
            <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
相关问题
最新问题