[英]How to force WCF client to send client certificate?
I'm trying to access a publicly-hosted SOAP web service (not WCF) over https, and I'm getting an error that I've never seen before. 我试图通过https访问公开托管的SOAP Web服务(而不是WCF),我收到的错误是我以前从未见过的。 First, here are the facts:
首先,这是事实:
Now, the exception: 现在,例外:
Error occurred while executing test 12302: System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'ihexds.nist.gov:9085'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
I've traced the interaction with WireShark, but because I'm not an expert in the TLS protocol, I could be missing clues as to what's going on. 我跟踪了与WireShark的交互,但由于我不是TLS协议的专家,我可能会错过关于发生了什么的线索。 Here, however, is what I do see:
然而,在这里,我看到的是:
My binding is set up as follows: 我的绑定设置如下:
<binding name="https_binding">
<textMessageEncoding />
<httpsTransport useDefaultWebProxy="false" />
</binding>
My behavior is set up as follows: 我的行为设置如下:
<behavior name="clientcred">
<clientCredentials>
<clientCertificate findValue="69b6fbbc615a20dc272a79caa201fe3f505664c3" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint" />
<serviceCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
<messageInspector />
</behavior>
My endpoint is set up to use both the binding and the behavior. 我的端点设置为同时使用绑定和行为。 Why does WCF refuse to send the certificate when it creates the https connection?
为什么WCF在创建https连接时拒绝发送证书?
I solved the problem, but I do not understand why this configuration change fixed it. 我解决了这个问题,但我不明白为什么这个配置改变了它。 I changed this line:
我更改了这一行:
<httpsTransport useDefaultWebProxy="false" />
to this: 对此:
<httpsTransport useDefaultWebProxy="false" requireClientCertificate="true" />
and magically it started working. 并且神奇地开始工作了。 I had understood that the
requireClientCertificate
"knob" was for server-side, so I hadn't tried it during my wrangling. 我已经明白
requireClientCertificate
“knob”是服务器端的,所以我在争吵时没有尝试过。 Apparently I was wrong. 显然我错了。
There should have been a CertificateRequest from the server, naming acceptable cert types and CAs. 应该有来自服务器的CertificateRequest,命名可接受的证书类型和CA. If your certificate doesn't match those it won't be sent.
如果您的证书与那些证书不匹配,则不会发送。
It could be a problem negotiating which security protocol to use. 协商使用哪种安全协议可能是一个问题。 Specifically im thinking that the server might not like WCF trying to use TLS 1.0.
特别是我认为服务器可能不喜欢WCF尝试使用TLS 1.0。
To see if this is the case try to add the following before invoking the service 要查看是否是这种情况,请尝试在调用服务之前添加以下内容
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Ssl3
This could be added either in client code or by placing it in an IEndpointBehavior 这可以在客户端代码中添加,也可以将其放在IEndpointBehavior中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.