Trying to communicate with some SOAP service via https. Service has a certificate. Everything works ok, if I install this certificate into local storage or write it's encoded content in config as
<certificate encodedValue="CCBF......"/>
But I don't want to have hard reference in client to service certificate data, due to it will expire soon and will be changed. I want accept service certificate by CN or someway like that.
According to MSDN client.endpoint.identity.dns value can be used in such case. So if dns.value==CN in service certificate, then connection should be OK.
But it doesn't.
When I open connection, I get an exception:
client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
client.Open();
Additional information: The service certificate is not provided for target ' https://sss.myhost.com '. Specify a service certificate in ClientCredentials.
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<system.serviceModel>
<bindings>
<customBinding>
<binding>
<security authenticationMode="MutualCertificate"
enableUnsecuredResponse="true"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue="Foo" storeName="My" storeLocation="CurrentUser" x509FindType="FindByIssuerName"/>
<serviceCertificate>
<!--<defaultCertificate storeLocation="LocalMachine" x509FindType="FindByIssuerName" storeName="Root" findValue="MyIssuerName" />-->
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="https://sss.myhost.com"
binding="customBinding"
contract="RS.InstanceManagerPortType" name="InstanceManagerPort">
<identity>
<!--<certificate encodedValue="CCBF......"/>-->
<dns value="*.myhost.com"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
I believe you'll have to implement your own certificate validation.
<behavior name="credentialConfiguration">
<clientCredentials>
<serviceCertificate>
<authentication
certificateValidationMode="Custom"
customCertificateValidatorType="YOUR VALIDATOR"/>
</serviceCertificate>
</clientCredentials>
</behavior>
where YOUR VALIDATOR is assembly-qualified type name of a class that implements X509CertificateValidator
. There you have full freedom of validating whatever you want - CN, thumbprint, etc.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.