WCF net.tcp 传输安全 - 如何在客户端上禁用服务器证书验证
我正在使用 WCF 进行一些测试,我们目前有以下服务器设置(简化的配置):
<netTcpBinding>
<binding name="netTcp" ... >
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</netTcpBinding>
...
<serviceBehaviors>
<behavior name="defaultServiceBehavior">
<serviceCredentials>
<serviceCertificate
findValue="OurCert"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behaviour>
</serviceBehaviors>
以及以下客户端配置:
<endpointBehaviors>
<behavior name="NoRevNoValid">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"
revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
因此,想法是服务器证书用于加密数据,但客户端不会打扰验证证书(客户端无论如何都不会拥有证书的 CA)。
但是,此配置不会阻止客户端验证证书。它仍然尝试遍历信任链并寻找撤销列表。
我发现此链接指出certificateValidationMode属性不适用于 net.tcp 绑定。
我已经研究过处理 ServicePointManager.ServerCertificateValidationCallback 事件,但再次看来这仅适用于基于 Http 的绑定。
据推测,这些都是因为在使用 net.tcp 绑定时,传输安全性的处理超出了应用程序的范围?
还有其他方法可以强制不进行证书验证吗?
I'm doing some testing with WCF and we currently have the following Server setup (simplified config):
<netTcpBinding>
<binding name="netTcp" ... >
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</netTcpBinding>
...
<serviceBehaviors>
<behavior name="defaultServiceBehavior">
<serviceCredentials>
<serviceCertificate
findValue="OurCert"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behaviour>
</serviceBehaviors>
And the following Client config:
<endpointBehaviors>
<behavior name="NoRevNoValid">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"
revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
So, the idea is that the server certificate is used to encrypt the data, but that the Client does not bother to validate the certificate (the client won't have the CA for the certificate anyway).
However, this configuration does not stop the client from validating the certificate. It still tries to walk the chain of trust and look for revocation lists.
I have found this link stating that the certificateValidationMode attribute does NOT apply to net.tcp bindings.
I have looked at handling the ServicePointManager.ServerCertificateValidationCallback event, but again it appears that this only applies to Http-based bindings.
Presumably these are both because when using the net.tcp binding, the transport security is handled out of scope of the application?
Is there any other way of forcing validation of the certificate to not take place?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
经过大量测试后,声明“certificateValidationMode”属性不适用于 net.tcp 绑定的链接似乎是错误的!
此选项仍然适用于 net.tcp 绑定。
但是,用于 net.tcp 传输安全的证书仍会加载,并且仍会尝试解析其 CA 和 CRL。我使用的证书包含 CRL 和 CA 的 URL,因此证书存储每次都会解析这些 URL(URL 不可用),即使 WCF 配置随后表示忽略证书是否无效。
所以答案是 WCF 配置的certificateValidationMode 仍然适用,只是证书仍将由证书存储“解析”。对于大多数人来说这不应该是一个大问题,但我将针对证书所具有的 URL 进行一些进一步的测试,因为这些 URL 在连接过程中会导致我们出现严重的延迟问题。
After much testing, it appears that the link stating that the certificateValidationMode attribute does NOT apply to net.tcp bindings is WRONG!
This option still applies to net.tcp bindings.
However, the certificate used for the net.tcp transport security is still loaded and it's CAs and CRLs are still attempted to be resolved. The certificate I was using contained URLs for both CRL and CAs so the cert store was going off to resolve these each time (the URLs were unavailable) even though the WCF config was then saying to ignore whether the certificate was invalid.
So the answer is that the WCF config certificateValidationMode does still apply, its just that the certificate will still be "resolved" by the cert store. This should not be a huge issue for most people, but I am going to do some further tests regarding the URLs that the certificate has because these are causing us major latency issues during connection.
在我的例子中,使用 CertificateValidator = X509CertificateValidator.None 会有所帮助:
非工作代码:
X.509 证书 CN=cn.name.com 链构建失败。使用的证书具有无法验证的信任链。更换证书或更改certificateValidationMode。证书链已处理,但以不受信任的根证书终止。
工作代码:
In my case using a CertificateValidator = X509CertificateValidator.None helps:
Non-working code:
The X.509 certificate CN=cn.name.com chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust.
working code: