WCF +通过证书进行客户端身份验证
我正在运行一个 WCF 服务,它应该只接受能够通过 ssl 客户端证书进行自我验证的客户端。作为安全模式,我使用传输安全。要求身份验证过程由 PeerTrust 完成。不幸的是,传输安全性与 PeerTrust 不兼容 - 这意味着 ChainTrust 始终是首选方法。在这种情况下,每个客户端都是受信任的,其拥有由 CA 签名的证书,该证书存储在我的“受信任的 CA 存储”中。这不是我需要的行为。
我尝试通过自定义证书验证器来解决此问题。这似乎有效。我收到带有证书的回调,我可以验证我是否信任该证书。
我的问题是,我不确定将证书提供给自定义验证器中的“验证”方法时的状态。 SSL 通常通过提供客户端证书来检查客户端是否具有相应的私钥。换句话说,我的问题是我不确定与我交谈的客户是否是我认为的客户。
<serviceBehaviour>
<behavior name="sslbehaviour">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceThrottling maxConcurrentSessions="2000000000" maxConcurrentCalls="2000000000" maxConcurrentInstances="2000000000"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="Package.MyX509CertificateValidator, server"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
也欢迎其他获得 PeerTrust 客户端验证的方法。
亲切的问候, 迈克尔
i'm running a WCF service which should only accept clients which are able to authenticate theirself by a ssl client certificate. As security mode i'm using transport security. It is required that the authentication process is done by PeerTrust. Unfortunately transport security is not compatible with PeerTrust - this means that ChainTrust is always the preferred method. In this case every client is trusted which has a certificate signed by a CA which is stored in my "Trusted CA Store". That is not the behaviour that i need.
I've tried to fix this through a custom certificatevalidator. This seems to work. I get a callback with the certificate, and i can probably verify whether i trust the certificate or not.
My problem is that i'm not sure about the state when the certificate is provided to the "validate"-method within the custom validator. SSL usually checks by providing a client cert if the client has the corresponding private key. In other words, my problem is that i'm not sure, if the client i'm talking to, is the client that i think he is.
<serviceBehaviour>
<behavior name="sslbehaviour">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceThrottling maxConcurrentSessions="2000000000" maxConcurrentCalls="2000000000" maxConcurrentInstances="2000000000"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="Package.MyX509CertificateValidator, server"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
Other approaches to get a PeerTrust client validation are welcome as well.
Kind regards,
Michael
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论