为什么 WCF 会抱怨身份检查失败?
我正在创建一个 WCF 应用程序,我将在其中使用证书来加密客户端和服务器之间的通信。在我的开发环境中,我想使用我使用 makecert 创建的测试证书/自签名证书。 (只有服务器才会有证书,客户端不会)。
我已将证书安装到证书存储中,一切正常。在客户端上,certificateValidationMode 当前设置为“false”,因为我正在使用测试证书。
我的问题:
在客户端的 app.config 中,我需要将标识元素指定为:
<endpoint ... >
<identity>
<dns value="<Name-Of-Server-Computer>"/>
</identity>
</endpoint>
如果删除标识元素,当我尝试连接到服务器时,我会在客户端中收到以下错误消息:
传出消息的身份检查失败。远程端点的预期 DNS 身份是“localhost”,但远程端点提供的 DNS 声明是“服务器计算机名称”。如果这是合法的远程端点,您可以通过在创建通道代理时显式指定 DNS 标识“Name-Of-Server-Computer”作为 EndpointAddress 的 Identity 属性来解决该问题。
所以这是我的问题:
身份检查是否仅在使用测试/自签名证书时进行?当我使用从 CA 购买的真实可信证书部署应用程序时,是否仍会进行身份检查?
身份检查有办法禁用身份检查吗?我知道我可以创建自己的自定义证书验证器,但似乎没有办法使用它们来覆盖身份检查。
I'm creating a WCF application where I'll be using certificates to encrypt the communication between the client and server. In my development environment, I want to use a test certificate / self signed certificate which I've created using makecert. (Only the server will have a certificate, the client won't).
I've installed the certificate into a certificate store, and everything is working fine. On the client, certificateValidationMode is currently set to "false", since I'm working with a test certificate.
My problem:
In the app.config on the client, I need to specify the identity element as this:
<endpoint ... >
<identity>
<dns value="<Name-Of-Server-Computer>"/>
</identity>
</endpoint>
If I remove the identity element, I get the following error message in the client when I try to connect to the server:
Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'Name-Of-Server-Computer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'Name-Of-Server-Computer' as the Identity property of EndpointAddress when creating channel proxy.
So here's my questions:
Is the identity check only done when using a test/self-signed certificate? When I deploy my application using a real, trusted, certificate purchased from a CA, will the identity check still be made?
Is there a way to disable the identity check? I know I can create my own custom certificate validator, but there doesn't seem to be a way to override the identity check using these.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这个问题的答案就在错误消息本身中。在客户端上,您可以执行以下操作:
将“服务器”替换为预期的内容。通常,这将是您的自签名证书的通用名称 (CN)。
这样做不会破坏安全性,前提是您承担所有责任确保所提供的证书有效,即创建自定义证书验证器并在那里进行相关检查。
The answer to this question is in the error message itself. On the client you can do:
Replace "Server", by whatever is expected. Typically this would be the common name (CN) of your self-signed certificate.
Doing so will not ruin security, provided you take all responsibility for making sure, that the presented certificate is valid, that is create your custom certificate validator and make relevant checks there.
检查总是会进行——而且应该如此。基本上,WCF 将检查证书是否颁发给服务所在的域名 (yourcompany.com) 或计算机名称。这是我永远不会禁用的安全检查!否则,任何欺骗您服务的人都可以使用针对任意域名/计算机名称的任何证书并获取您的流量 - 这不是您想要的!
因此,您需要确保生产服务器上的真实证书确实颁发给生产服务器所属的域名,例如,如果您的生产服务器将位于“production.yourcompany.com”中,证书需要颁发给该域。
马克
The check is done always - and should be. Basically, WCF will check that the certificate is issued to the domain name (yourcompany.com) or machine name where your service resides. This is a security check which I'd never disable! Otherwise, anyone spoofing your service could use any certificate made out to an arbitrary domain / machine name and get your traffic - not what you want!
So what you need to make sure is that your real certificate on the production server is indeed issued to that domain name that the production server will be part of, e.g. if your production server is going to be in "production.yourcompany.com", the certificate needs to be made out to that domain.
Marc
certificateValidationMode 应设置为“无”,而不是“假”...
certificateValidationMode should be set to "None", not "false"...