通过对等信任和自签名客户端证书实现 WCF 传输安全
我已经在 WCF 上挣扎了一段时间,但我似乎无法弄清楚。 我有一个启用了 SSL 的自托管 WCF 服务(使用来自自签名根 CA 的签名证书),到目前为止一切顺利。该服务用于企业对企业的通信,因此证书似乎是最好的解决方案。
(我目前正在使用 WS 绑定,但这仅用于开发目的,因为所有绑定方法都支持(据我所知)客户端证书的传输级安全性。)
该服务的一些相关配置位:
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<!-- snip -->
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" />
</clientCertificate>
</serviceCredentials>
当我拥有客户端时使用自签名证书,该证书位于运行失败的 WCF 服务的用户的“受信任的人”存储中。当我使用由我自己的根 CA 签名的证书时,即使它不在“受信任的人”存储中,它也可以工作。
我期望我能够使用自签名证书,将它们存储在“受信任的人”存储中,一切都会正常进行。但似乎正在进行一些额外的验证,我是否缺少某些东西?有更好的办法吗?
I'm been struggling with WCF for a while now and I can't seem to figure it out.
I have a self-hosted WCF service with SSL enabled (using a signed certificate from a self-signed root CA), so far so good. The service is for business-to-business communication so certificates seemed to be the best solution.
(I'm using the WS binding at the moment but that's just for development purposes since all binding methods support (as far as I know) transport level security with client certificates.)
Some relevant configuration bits for the service:
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<!-- snip -->
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" />
</clientCertificate>
</serviceCredentials>
When I have the client use a self-signed certificate which is in the "trusted people" store of the user running the WCF service it fails. When I use a certificate signed by my own root CA it works even if it's not in the "trusted people" store.
I was expecting that I would be able to use self-signed certificates, store them in the "trusted people" store and things would just work. But there seems to be some extra validation going on, it there something I'm missing? Is there a better way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我遇到了同样的问题,其中我的自签名客户端证书将被验证,即使它不在“受信任的人”存储中,尽管验证模式为“PeerTrust”。我终于能够通过使用以下服务行为来限制服务仅接受特定的客户端证书:
身份验证元素和证书元素都需要指向正确的存储,在本例中为“本地机器”。
I struggled with the same problem wherein my self-signed client certificate would be validated even though it was not in the "Trusted People" store, despite the validation mode of "PeerTrust". I was finally able to restrict the service to accept only the specific client certificate by using the following service behaviors:
Both the authentication element and the certificate element were required to point to the correct store, in this case "LocalMachine".
是的,传输安全和证书验证是在 WCF 无法控制的较低级别上处理的。因此,所有这些带有自定义验证器等的奇特事物都不适用于传输安全性,仅适用于消息安全性。
要限制客户端访问,同时仍仅使用传输安全性,您需要设置 CTL(证书信任列表)。以下网站应该会给您一些指导。
http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCFTransportSecurity.aspx
http://viisual.net/configuration/IIS7-CTLs.htm
Right, so, transport security and certificate validation is handled at a lower level which WCF has no control over. So all those fancy things with custom validators etc don't work with transport security, only message security.
To restrict access from clients while still using only transport security you need to set up a CTL (Certificate Trust List). The following sites should give you some pointers.
http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCFTransportSecurity.aspx
http://viisual.net/configuration/IIS7-CTLs.htm
我设法使用这些代码行使其工作:
对我来说看起来像 WCF bug。
I managed to make it work using these lines of code:
Looks like WCF bug to me.