堆栈内存溢出
  简体   繁体   English

WCF WF服务,无法通过授权为SSL / TLS建立安全通道

[英]WCF WF Service, Could not establish secure channel for SSL/TLS with authority

 原文  2017-09-18 09:40:45       c#/ wcf/ ssl/ workflow-foundation

问题描述

I keep getting the same error when trying to access my WCF WF Service: "Could not establish secure channel for SSL/TLS with authority." 尝试访问WCF WF服务时,我始终收到相同的错误:“无法使用授权建立SSL / TLS的安全通道。”

I have tried a bunch of stackoverflow/google solutions but no luck so far. 我已经尝试了很多stackoverflow / google解决方案,但到目前为止还没有运气。

I've made a WCF WF Service that connects to a thirdparty that uses a certificate to verify. 我已经制作了WCF WF服务,该服务连接到使用证书进行验证的第三方。 My Web.config looks like this: 我的Web.config看起来像这样: 

<?xml version="1.0"?>
<configuration>
<appSettings>
  <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true"/>
</appSettings>
<system.web>
  <compilation debug="true" strict="false" explicit="true" 
                            targetFramework="4.5.1"/>
  <httpRuntime targetFramework="4.5.1"/>
</system.web>
<system.serviceModel>
  <bindings>      
    <basicHttpsBinding>
      <binding name="binding1">
        <security mode="TransportWithMessageCredential">
          <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </basicHttpsBinding>
  </bindings>
  <client>
    <!-- Test Endpoint -->
    <endpoint address="https://example.com" 
              behaviorConfiguration="endpointBehavior" 
              binding="basicHttpsBinding" 
              bindingConfiguration="binding1" 
              contract="ContractPortType" 
              name="Port">
    </endpoint>
  </client>
  <behaviors>
    <serviceBehaviors>
      <behavior>
        <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
        <serviceDebug includeExceptionDetailInFaults="true"/>        
      </behavior>
    </serviceBehaviors>
    <endpointBehaviors>
      <behavior name="endpointBehavior">
        <clientCredentials>          
          <clientCertificate findValue="SOMETHUMBPRINT" 
                              storeLocation="LocalMachine" 
                              storeName="My" 
                              x509FindType="FindByThumbprint" />
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>
  <protocolMapping>
    <add binding="basicHttpsBinding" scheme="https"/>
  </protocolMapping>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="true" 
                             multipleSiteBindingsEnabled="true" 
                             minFreeMemoryPercentageToActivateService="1"/>
</system.serviceModel>
<system.webServer>
  <modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>

The client is just a simple console running this: 客户端只是运行此命令的简单控制台: 

using (var client = new ServiceClient())
{
     System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
     var msg = client.GetData();
     Console.WriteLine(msg);
 }

That has the following App.config: 具有以下App.config: 

    <?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
  </startup>
  <system.serviceModel>
    <bindings>     
      <basicHttpBinding>
        <binding name="BasicHttpBinding_IService"/>
      </basicHttpBinding>
    </bindings>

    <client>
      <endpoint address="http://localhost:55670/GetData.xamlx"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IService"
        contract="Reference.IService" name="BasicHttpBinding_IService" behaviorConfiguration="endpointBehavior" />
    </client>

    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="endpointBehavior">
          <clientCredentials>
            <clientCertificate findValue="SOMETHUMBPRINT"
                               storeLocation="LocalMachine"
                               storeName="My"
                               x509FindType="FindByThumbprint" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

It would be great if somebody could help me out. 如果有人可以帮助我,那就太好了。

EDIT: So the thing that I can't seem to get working is the SSL connection needed between my WCF WF serivce and the thirdparty service. 编辑:所以我似乎无法正常工作的是WCF WF服务和第三方服务之间所需的SSL连接。 When I directly call the thirdparty service from a client then I can set the System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; 当我直接从客户端调用第三方服务时,可以设置System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; but I can't find a way to do the same for my WCF WF service. 但是我找不到对WCF WF服务执行相同操作的方法。

EDIT: So I can make it work by creating an activity and then calling that activity before I call the thirdparty activity and then it works, but there has to be a better way! 编辑:因此,我可以通过创建活动然后在调用第三方活动之前调用该活动来使其工作,然后它起作用,但是必须有更好的方法! 

public sealed class SetTlsVersion : CodeActivity
{
    protected override void Execute(CodeActivityContext context)
    {
        System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
    }
}

2 个解决方案

解决方案1
 5  2017-09-18 14:25:57

I ran into a similar issue earlier this year and it turns out that some SSL certificates utilize TLS 1.2. 我在今年早些时候遇到了类似的问题,事实证明某些SSL证书使用TLS 1.2。

.NET 4.5 defaults the TLS version to v1.1. .NET 4.5将TLS版本默认为v1.1。 This can be changed in your code by the following snippet: 可以通过以下代码段在您的代码中对此进行更改: 

using System.Net;
// ...
// In your application startup flow, set the security protocol to TLS 1.2.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

The above should be invoked at application startup time ideally. 理想情况下,应在应用程序启动时调用以上内容。 After that, I think you'll be good to go. 在那之后,我认为您会很好。

Side note: .NET 4.0 targeted applications will need a slightly different trick to set the TLS version: 旁注:面向.NET 4.0的应用程序将需要稍微不同的技巧来设置TLS版本: 

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

And in .NET 3.5 and lower , TLS 1.2 is not even supported unfortunately. 在.NET 3.5及更低版本中 ,不幸的是,甚至不支持TLS 1.2。 But in your case it looks like your targeting .NET 4.5 so your good to go on this front. 但是对于您而言,它看起来像是针对.NET 4.5的目标,因此在此方面挺好的。

EDIT : I noticed in your client code snippet that you bit-wise OR'd the TLS versions, which is incorrect. 编辑 :我在您的客户端代码片段中注意到您按位或TLS版本,这是不正确的。 It should be a single value, SecurityProtocolType.Tls12 in this case. 在这种情况下,它应该是单个值SecurityProtocolType.Tls12

I'm assuming the underlying .NET Framework networking code was only using SecurityProtocolType.Tls in the end, which doesn't match what the SSL / TLS certificate supports. 我假设底层的.NET Framework网络代码最后只使用了SecurityProtocolType.Tls ,它与SSL / TLS证书所支持的不匹配。

Hopefully that helps. 希望有帮助。

解决方案2
 0 已采纳  2017-09-21 14:18:23

Well the only way that I was able to do this sort of nice was with a HttpModule (thanks ajawad987 for the tip). 好吧,我能够做到这一点的唯一方法是使用HttpModule(感谢ajawad987作为提示)。 I'm still convinced that this could (or should) be done in the Web.config only. 我仍然坚信只能(或应该)在Web.config中完成此操作。 

public class InitializerModule : IHttpModule
{
    public void Dispose() { }

    public void Init(HttpApplication context)
    {
        // Sets the TLS version for every request made to an external party
        System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
    }
}

Web.config Web.config 

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
    <add name="InitializerModule" type="WorkflowService.Helpers.InitializerModule"/>
  </modules>
</system.webServer>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过SSL的WCF服务无法使用授权&#39;test-service.hostname.com&#39;为SSL / TLS建立安全通道 - WCF Service over SSL Could not establish secure channel for SSL/TLS with authority 'test-service.hostname.com' WCF:无法为具有权限的SSL / TLS安全通道建立信任关系 - WCF: Could not establish trust relationship for the SSL/TLS secure channel with authority 无法使用授权WCF C#WCF Rest Service为ssl / tls建立安全通道 - could not establish secure channel for ssl/tls with authority wcf C# wcf rest service 在特定服务器上调用WCF服务时,“无法通过授权为ssl / tls建立安全通道” - “could not establish secure channel for ssl/tls with authority” when calling WCF service on specific server WCF客户端绑定以访问https服务。 无法为具有权限的SSL / TLS建立安全通道 - WCF client binding to access https service. Could not establish secure channel for SSL/TLS with authority SSL WCF“无法与权限&#39;localhost&#39;建立SSL / TLS安全通道的信任关系 - SSL WCF "Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost' WCF服务在通过Fiddler时有效,但部分失败并显示“无法使用授权建立SSL / TLS的安全通道”错误,而没有 - WCF service works when going through Fiddler, but partially fails with “Could not establish secure channel for SSL/TLS with authority” error without asp.net core 2.0 中的 WCF - 无法为具有权限的 SSL/TLS 安全通道建立信任关系 - WCF in asp.net core 2.0 - Could not establish trust relationship for the SSL/TLS secure channel with authority 错误:无法通过授权为SSL / TLS安全通道建立信任关系 - Error: Could not establish trust relationship for the SSL/TLS secure channel with authority 无法为具有“xxxxx.com”权限的 SSL/TLS 建立安全通道 - Could not establish secure channel for SSL/TLS with authority 'xxxxx.com'
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM