受 SSL 保護的 RESTFul WCF 自托管服務
[英]SSL-protected RESTFul WCF Self-hosting service
問題描述
概括
我正在嘗試實現受 SSL 保護的 RESTFul WCF 服務,但出現以下錯誤並且通信失敗。
making the HTTP request to ‘https://123.123.123.123:5000/TestService/PostMsg’. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. on some customers machines.
誰能幫我? 此致
試過的東西:
我已經成功地在沒有 SSL 保護的情況下進行通信。
代碼
服務實施
using System;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.ServiceModel.Web;
namespace TestService
{
class Program
{
static WebServiceHost host;
static void Main()
{
WebHttpBinding binding = new WebHttpBinding();
binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;
Uri uri = new Uri("https://localhost:5000/TestService");
host = new WebServiceHost(typeof(TestService));
ServiceEndpoint se = host.AddServiceEndpoint(typeof(ITestService), binding, uri);
var behavior = new WebHttpBehavior();
behavior.FaultExceptionEnabled = false;
behavior.HelpEnabled = true;
behavior.DefaultOutgoingRequestFormat = WebMessageFormat.Json;
behavior.DefaultOutgoingResponseFormat = WebMessageFormat.Json;
se.EndpointBehaviors.Add(behavior);
ServiceDebugBehavior debug = host.Description.Behaviors.Find<ServiceDebugBehavior>();
debug.IncludeExceptionDetailInFaults = true;
ServiceMetadataBehavior metad = new ServiceMetadataBehavior();
metad.HttpGetEnabled = true;
metad.HttpsGetEnabled = true;
host.Description.Behaviors.Add(metad);
var certificate = new X509Certificate2(@"D:\Work\TestService\ServerCert1.pfx", "paswd", X509KeyStorageFlags.UserKeySet);
host.Credentials.ServiceCertificate.Certificate = certificate;
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
host.Open();
Console.WriteLine(string.Format(null, "URL : {0}", uri.ToString()));
Console.WriteLine("Press <ENTER> to terminate");
Console.ReadLine();
host.Close();
}
}
}
界面
using System.Runtime.Serialization;
using System.ServiceModel;
using System.ServiceModel.Web;
namespace TestService
{
[ServiceContract]
interface ITestService
{
[OperationContract]
[WebInvoke(Method = "POST"
, RequestFormat = WebMessageFormat.Json
, UriTemplate = "/PostMsg"
)]
MessageData PostMsg(MessageData msg);
}
[DataContract]
public class MessageData
{
[DataMember]
public string Name { get; set; }
[DataMember]
public int Gender { get; set; }
[DataMember]
public int Age { get; set; }
}
}
using System;
namespace TestService
{
class TestService : ITestService
{
public MessageData PostMsg(MessageData msg)
{
Console.WriteLine(string.Format(null, "Recieved Name: {0}, Gender:{1}, Age:{2}", msg.Name , msg.Gender , msg.Age));
return new MessageData()
{
Name = msg.Name,
Gender = msg.Gender,
Age = msg.Age + 1
};
}
}
}
客戶端實施
using System;
using System.Windows.Forms;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.ServiceModel.Web;
using TestService;
namespace TestClient
{
public partial class Form1 : Form
{
WebChannelFactory<ITestService> cf = null;
ITestService channel = null;
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
listBox1.HorizontalScrollbar = true;
Uri uri = new Uri("https://123.123.123.123:5000/TestService");
EndpointAddress endpointAddress = new EndpointAddress(uri);
cf = new WebChannelFactory<ITestService>(uri);
WebHttpBinding binding = cf.Endpoint.Binding as WebHttpBinding;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
var behavior = new WebHttpBehavior();
behavior.FaultExceptionEnabled = false;
behavior.HelpEnabled = true;
behavior.DefaultOutgoingRequestFormat = WebMessageFormat.Json;
behavior.DefaultOutgoingResponseFormat = WebMessageFormat.Json;
cf.Endpoint.Behaviors.Add(behavior);
var clientCertificate = new X509Certificate2(@"D:\Work\TestService\ServerCert1.pfx", "pswd", X509KeyStorageFlags.UserKeySet);
cf.Credentials.ClientCertificate.Certificate = clientCertificate;
cf.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
channel = cf.CreateChannel();
}
private void button1_Click(object sender, EventArgs e)
{
MessageData msg = new MessageData()
{
Name = "Taro",
Gender = 1,
Age = 3
};
MessageData rtn = channel.PostMsg(msg);
listBox1.Items.Insert(0, string.Format("Name:{0}, Gender:{1}, Age{2} ", rtn.Name, rtn.Gender, rtn.Age));
}
}
}
用於創建 pfx 文件的腳本。
@echo ----------------------------------------------
@echo Script for creating self certificate
@echo ----------------------------------------------
@set "TOOL_DIR=E:\Windows Kits\10\bin\10.0.18362.0\x86"
@if not exist "%TOOL_DIR%" (
@echo Tools do not exists. %TOOL_DIR%
@goto ERROR_EXIT
)
@set "PATH=%TOOL_DIR%;%PATH%"
@set "WORK_DIR=D:\Work\TestService"
@if not exist %WORK_DIR% (
@echo Work folder does not exist. %WORK_DIR%
@goto ERROR_EXIT
)
cd /d %WORK_DIR%
@openfiles > NUL 2>&1
@if NOT %ERRORLEVEL% EQU 0 (
@echo It is not being executed as an administor.
goto ERROR_EXIT
)
@SET /P ANS="Create a certificate file. Are you sure (Y / N)?"
@if /i %ANS% NEQ y if /i %ANS% NEQ Y goto ERROR_EXIT
del %WORK_DIR%\*.*
@echo;
@echo Create Self-Signed Certificate
makecert -n "CN=ServerCN1" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv ServerCert1.pvk ServerCert1.cer -cy authority -b 11/06/2019 -e 12/31/2019
@echo;
@echo Create Software Publisher Certificate File
cert2spc ServerCert1.cer ServerCert1.spc
@echo;
@echo Create Personal Information Exchange File
pvk2pfx -pvk ServerCert1.pvk -spc ServerCert1.spc -po pswd -pfx ServerCert1.pfx -f
@echo;
:ERROR_EXIT
@SET /P ANS="Finished."
必要的
我不想使用 IIS 因為我認為它有很多設置。 相反,我在“System.Security.Cryptography.X509Certificates”命名空間中使用 X509Certificate2 class 的 X509Certificate2 方法。 (.NETFramework\v4.7.2\System.dll)
此時服務器和客戶端在同一台計算機上。
- Windows防御者防火牆的端口打開。
一些用於理解我在做什么的圖像。
1 個解決方案
解決方案1
0 已采納 2019-11-11 09:52:16
使用證書來保護通信需要我們使用以下命令將證書綁定到特定的計算機端口。
Netsh http 添加 sslcert ipport=0.0.0.0:5000 certhash= 0102030405060708090A0B0C0D0E0F1011121314 appid= appid={00112233-4455-6677AAFF7-BBC8
https://docs.microsoft.com/en-us/windows/win32/http/add-sslcert
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate
當我們設置站點綁定時,此功能在 IIS 中自動完成。
WebHttpBinding binding = new WebHttpBinding();
binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Cert
關於使用證書對客戶端進行身份驗證,請參考以下官方文檔。 https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
通常有兩點我們需要注意。
-
1、我們要保證服務證書和客戶端證書都具有客戶端認證和服務器認證的目的。
服務器身份驗證 (1.3.6.1.5.5.7.3.1)
客戶端身份驗證 (1.3.6.1.5.5.7.3.2)
-
2.我們最好在Dotnet framwork4.6.2上構建項目,因為讀取使用PowerShell證書創建的證書的私鑰有問題。
如果有什么我可以幫忙的,請隨時告訴我。
輕松地將WCF的托管從自托管更改為Windows服務托管
[英]Easiness of changing hosting of WCF from Self-hosting to Windows Service Hosting
自承載WCF和System.ServiceModel.FaultException
[英]Self-Hosting WCF and System.ServiceModel.FaultException
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.