限制除 TLS 1.2 服务器端 WCF 之外的任何内容
[英]Restrict anything but TLS 1.2 serverside WCF
问题描述
I have a simple question but can't find an answer anywhere.
我有一个简单的问题,但在任何地方都找不到答案。 I have a WCF-Server-Application.我有一个 WCF 服务器应用程序。 I want it to use ONLY TLS1.2.我希望它只使用 TLS1.2。
I have no control over the client and am not able to edit the SCHANNEL settings on the machine.我无法控制客户端,也无法编辑机器上的 SCHANNEL 设置。
I did already try the following which seems to work only for outgoing connections (clientside)我已经尝试过以下似乎仅适用于传出连接(客户端)的方法
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
Is there any way to restrict anything but TLS 1.2 serverside per code?除了每个代码的 TLS 1.2 服务器端之外,还有什么方法可以限制任何东西吗?
EDIT: I am using a net.tcp binding and create bindings like that:编辑:我正在使用 net.tcp 绑定并创建这样的绑定:
private static Binding CreateNetTcpBinding()
{
return new NetTcpBinding
{
ReceiveTimeout = TimeSpan.FromMinutes(10),
ReliableSession =
{
Enabled = true,
InactivityTimeout = TimeSpan.FromMinutes(1)
},
Security =
{
Mode = SecurityMode.Transport,
Transport =
{
ClientCredentialType = TcpClientCredentialType.Windows,
ProtectionLevel = ProtectionLevel.EncryptAndSign,
SslProtocols = SslProtocols.Tls12
},
Message =
{
AlgorithmSuite = SecurityAlgorithmSuite.xxx,
ClientCredentialType = MessageCredentialType.Windows
}
}
};
}
If someone could tell me where to check the TLS-Version of the current connection (some context) that would also be enough!如果有人能告诉我在哪里检查当前连接的 TLS 版本(某些上下文),那就足够了!
Thank you in advance!先感谢您!
2 个解决方案
解决方案1
1 2017-04-18 01:24:26
There are indeed a few properties in the ServicePointManager beside SecurityProtocol which are checked during the authentication step, but they are all internal .在SecurityProtocol旁边的ServicePointManager中确实有一些属性在身份验证步骤中检查,但它们都是internal 。 There also seem to be no visible backdoor to override the entire implementation of the SslStream or TcpTransportSecurity which are implementing the skeleton of the Transport Security for the NetTcpBinding either.似乎也没有可见的后门来覆盖SslStream或TcpTransportSecurity的整个实现,它们正在实现NetTcpBinding的传输安全框架。
public partial class ServicePointManager {
...
internal static bool DisableStrongCrypto
internal static bool DisableSystemDefaultTlsVersions
internal static SslProtocols DefaultSslProtocols
...
}
If you have write permission for server machine registry, check out what @JohnLouros described very well one year ago in his posts on how to disable weak protocols and how to enable strong cryptography .如果您拥有服务器机器注册表的写入权限,请查看 @JohnLouros 一年前在他关于如何禁用弱协议和如何启用强密码学的帖子中很好地描述的内容。
Here is another good answer from @MattSmith describing how authentication for the NetTcpBinding is handled by the operating system itself behind the scenes.这是来自@MattSmith 的另一个很好的答案,描述了操作系统本身如何在幕后处理NetTcpBinding的身份验证。
解决方案2
0 2017-03-28 11:15:33
did you trying to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in IIS? 你试图在IIS中禁用PCT 1.0,SSL 2.0,SSL 3.0或TLS 1.0吗? you can follow this: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services 您可以按照: 如何在Internet信息服务中禁用PCT 1.0,SSL 2.0,SSL 3.0或TLS 1.0
解决方案3
-1 2017-03-24 13:57:40
Did you try to use ServicePointManager.ServerCertificateValidationCallback .This callback gives you an opportunity to validate Server Certificate by yourself.For example something like this:您是否尝试使用ServicePointManager.ServerCertificateValidationCallback 。此回调使您有机会自己验证服务器证书。例如,如下所示:
ServicePointManager.ServerCertificateValidationCallback = MyCertHandler;
...
static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error)
{
//Your logic here for certificate validation
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.