SSL 服务器证书是否存在 WCF 的一个名称?
我有一个带有 TCP 绑定的自托管 WCF 服务,现在尝试在 SSL 上分层。
我从 CA 获得的证书有两个“主题备用名称”值:
www.mysite.com
mysite.com
我只想向 WCF 客户端提供“mysite.com”,不知何故这个 www.mysite.com (CA 添加了它,我没有要求 www .mysite.com)。
我正在服务器端使用以下代码。我需要进行哪些调整才能“隐藏” www.mysite.com 地址?
svc.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.CurrentUser , StoreName.My , X509FindType.FindBySubjectName , "mysite.com" );
所以现在当客户端连接时,我得到
“传出消息的身份检查失败。远程端点的预期 DNS 身份为“mysite.com”,但远程端点提供的 DNS 声明为“www.mysite.com”。如果这是合法的远程端点,您可以通过在创建通道代理时显式指定 DNS 身份“www.mysite.com”作为 EndpointAddress 的 Identity 属性来解决该问题”
我不希望客户端了解有关 www.mysite.com 的任何信息。我只希望他们使用服务器提供的内容,并且我希望服务器仅提供 mysite.com。
I have a self-hosted WCF service with TCP binding, now trying to layer on SSL.
The cert I got from the CA has two values for "Subject Alternative Name":
www.mysite.com
mysite.com
I only want to present "mysite.com" to WCF clients, somehow this www.mysite.com (which the CA added, I did not ask for www.mysite.com).
I am using the below code server-side. What do I have to tweak to "hide" the www.mysite.com address?
svc.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.CurrentUser , StoreName.My , X509FindType.FindBySubjectName , "mysite.com" );
So right now when the client connects, I get
"Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'mysite.com' but the remote endpoint provided DNS claim 'www.mysite.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'www.mysite.com' as the Identity property of EndpointAddress when creating channel proxy. "
I don't want the client to know anything about www.mysite.com. I only want them to use what the serve presents, and I want the sever to only present mysite.com.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为什么要隐藏它?具有 SAN 替代方案的证书意味着它对于所有这些 FQDN 都有价值,因此它可以在 www.mysite.com 和 mysite.com 上运行。
此外,从您对 SetCertificate 的调用来看,证书的使用者名称就是您想要的 mysite.com,这就是首先检查的内容。
错误消息的全文采用以下形式
现在,这与证书无关,而是与配置 IIS 的主机有关,或者在自托管的情况下与配置 Windows 的主机/计算机有关。您可以通过为 端点添加新的配置设置来覆盖 WCF 将使用的主机< /a>;
或在创建端点时在代码中设置它。
Why do you want to hide it? A certificate with SAN alternatives means it is value for all of those FQDNs, so it will work on both www.mysite.com and mysite.com.
Additionally from the looks of your call to SetCertificate the subject name of the certificate is what you want, mysite.com and that's what's checked first.
The full text of the error message comes in the form of
Now this has nothing to do with the certificate, but the host that IIS is configured for, or, in the case of self hosting, the host/machine Windows is configured to be. You can override the host that WCF will use by adding a new configuration setting for the endpoint;
or setting it in code when you create the endpoint.