如何在具有传输安全性的WCF呼叫中使用自签名客户端证书?
[英]How can I use a self-signed client certificate in a WCF call with transport security?
问题描述
I have a WCF service (authored in-house) using a WS-HTTP binding and transport security (SSL). 
我有一个使用WS-HTTP绑定和传输安全性(SSL)的WCF服务(内部编写)。 We are authenticating callers with client certificates and a whitelist of acceptable certificates (certs are provided to us out-of-band). 我们正在使用客户证书和可接受证书的白名单对呼叫者进行身份验证(证书是带外提供给我们的)。 So we're using a custom validator (eg a class deriving from System.IdentityModel.Selectors.X509CertificateValidator) to do a database query to check the whitelist. 因此,我们使用自定义验证器(例如,从System.IdentityModel.Selectors.X509CertificateValidator派生的类)进行数据库查询以检查白名单。
It works in the following case: We have a root certificate used in development, issued by the development team (using OpenSSL). 它在以下情况下起作用:我们拥有开发团队使用(使用OpenSSL)颁发的用于开发的根证书。 This root is trusted (eg installed in the Trusted Third-Party CA cert store) on the server hosting our WCF service. 在托管我们的WCF服务的服务器上,此根目录是受信任的(例如,安装在受信任的第三方CA证书存储区中)。 The test client is configured to present a certificate signed by this root. 测试客户端配置为出示由该根签名的证书。 This case behaves as expected. 这种情况下的行为符合预期。
It does not work in the following case: The client presents a self-signed certificate to the service. 在以下情况下不起作用:客户端向服务提供自签名证书。 In this case the client receives the error message "The HTTP request was forbidden with client authentication scheme 'Anonymous'", and-- here's the odd part-- the service's certificate validator doesn't even run. 在这种情况下,客户端收到错误消息“客户端身份验证方案'Anonymous'禁止HTTP请求”,并且-这很奇怪-服务的证书验证程序甚至没有运行。 We don't get any chance to give the thumbs-up. 我们没有任何机会表示赞赏。 The client cert is rejected by a layer lower than our validator. 客户端证书被比我们的验证器低一层的拒绝。
How can I use a self-signed client certificate with my service? 如何在服务中使用自签名客户端证书?
1 个解决方案
解决方案1
0 已采纳 2014-06-18 15:59:31
You can't. 你不能 In WCF, WS-HTTP transport security is SSL. 在WCF中,WS-HTTP传输安全性是SSL。 My error results from a failure in the SSL negotiation between the parties. 我的错误是由双方之间的SSL协商失败导致的。
The normal case of this negotiation is as follows: The service sends the client a list of root certificates that it trusts. 此协商的正常情况如下:服务向客户端发送其信任的根证书列表。 The client examines this list and finds a certificate that the server will find trustworthy and sends it. 客户端检查此列表,并找到服务器将发现可信任的证书并将其发送。
In my error case, the client is examining the server's list and determining that its cert will not be trusted. 在我的错误情况下,客户端正在检查服务器列表,并确定其证书将不受信任。 At this point the client will normally attempt to negotiate down to anonymous access, which is forbidden in my case, so the negotiation fails. 此时,客户端通常将尝试协商匿名访问,在我的情况下这是禁止的,因此协商失败。
WCF does not support self-signed client certificates, or certs issued by an untrusted CA, in WS-HTTP binding + transport security scenarios, even if you use custom validation mode. 在WS-HTTP绑定+传输安全性方案中,即使您使用自定义验证模式,WCF也不支持自签名客户端证书或不可信CA颁发的证书。 It does support this scenario in message security. 它确实在邮件安全性中支持此方案。 I suspect that Net.TCP supports this scenario, but haven't tested that. 我怀疑Net.TCP支持这种情况,但尚未进行测试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.