忽略 ASP.NET Core 3.1 中的 WCF 证书错误

Question

I have a solution like this:

-MySolution
|--MyWCFWrapper
|--MyaspnetcoreWebApp
|--ConsoleTestApp

MyWCFWrapper is a .NET Standard library consumes the WCF service added as a WCF reference using the Visual Studio import wizard.

The Myas.netcoreWebApp application provides controllers for a front end to consume. In this controller, I am instantiating and making calls to MyWCFWrapper library.

The ConsoleTestApp is a console application that also makes calls to MyWCFWrapper library for testing.

I get an error:

System.ServiceModel.Security.SecurityNegotiationException: 'Could not establish trust relationship for the SSL/TLS secure channel with authority 'exampleabc.com'

when I make WCF service calls.

The reason for this error is my WCF service at exampleablc.com is a test server and has a self signed certificate (name different to the webservice) and is also expired .

Workaround that works in ConsoleTestApp:

System.Net.ServicePointManager.ServerCertificateValidationCallback +=
    (se, cert, chain, sslerror) =>
    {
        return true;
    };
MyWCFWrapperClass api = new MyWCFWrapperClass(..);
api.SendNewInfo("NewInfo");

This is not recommended , but this is ok for me for now because it's a test server.

The same workaround does not work in the Myas.netcoreWebApp controller. What I have tried to make it work:.

• In Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddHttpClient("SeitaCertificate").ConfigurePrimaryHttpMessageHandler(() =>
    {
        return new HttpClientHandler()
        {
            ServerCertificateCustomValidationCallback = (request, certificate, certificateChain, policy) =>
            {
                return true;
            }
        };
    });
    services.AddControllersWithViews();
    ----
}

• Added the certificate to Trusted Root Certificate Authorities on my local PC. This fails probably because the certificate has expired.

The certificate error is raised in the WCF call library and I have not been able to find a way to ignore the cert error. What I can do is at least have the certificate updated so that it is not expired. (I have started this process and it is likely to take some time)

I would like to learn a way how to capture and ignore these certificate errors selectively and appropriately for calling a WCF library in a asp .net core 3.1 web application. How can I do that?

Answer 1

You can refer to the following code to bypass certificate verification:

            BasicHttpsBinding binding = new BasicHttpsBinding();
            binding.Security.Mode = BasicHttpsSecurityMode.Transport;
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
            ChannelFactory<IService> factory = new ChannelFactory<IService>(binding, new EndpointAddress(uri));

            factory.Credentials.ServiceCertificate.SslCertificateAuthentication = new System.ServiceModel.Security.X509ServiceCertificateAuthentication()
            {
                CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None,
                RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck
            };

Answer 2

You can resolve this issue by overriding the certificate validation method X509CertificateValidator

class Program
{
    static void Main(string[] args)
    {
        var client = new YourServiceReference.Cient();

        // Bypass certificate verification
        client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication
        {
            CertificateValidationMode = X509CertificateValidationMode.Custom,
            CustomCertificateValidator = new CustomCertificateValidator()
        };

        // --------
    }

    internal class CustomCertificateValidator : X509CertificateValidator
    {
        // Override certificate validation
        public override void Validate(X509Certificate2 certificate) { }
    }
}