【发布时间】:2019-07-29 06:58:55
【问题描述】:
我有一个 WCF 服务,它当前接受带有 MD5 加密(与 TLS 1.1 兼容)的证书,以及一个能够使用上述证书使用该服务的客户端。
但是,我们希望使用新证书 (SHA-1 encrpytion) 升级到 TLS1.2,并且能够接受这两个证书以实现向后兼容性。
有什么办法可以实现吗?
WCF 服务在配置文件中配置如下:
<system.serviceModel>
<services>
<service name="MyService" behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.Tcp://localhost:8004" />
<add baseAddress="http://localhost:8006" />
</baseAddresses>
</host>
<!-- Service Endpoints -->
<endpoint address="SomeService" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IService">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<client>
<endpoint address="net.Tcp://localhost:8001/AnotherService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IService" name="IRACService">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
</client>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="false" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<clientCertificate>
<certificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials>
<serviceThrottling maxConcurrentCalls="1000" maxConcurrentInstances="1000" maxConcurrentSessions="1000" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="netTcpBindingConf" closeTimeout="00:11:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="1000" openTimeout="00:20:00">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:15:00" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" algorithmSuite="Default" />
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
客户端在配置文件中配置如下:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="bindingConfigName" closeTimeout="00:10:00" openTimeout="00:40:00" receiveTimeout="00:32:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" algorithmSuite="Default" />
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.Tcp://localhost:8004/SomeService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="bindingConfigName" contract="IService" name="ISomeService">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
<endpoint address="net.Tcp://localhost:8004/SomeService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="bindingConfigName" contract="IService" name="ISomeService2">
<identity>
<dns value="ServerCertificate" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</endpointBehaviors>
</behaviors>
【问题讨论】:
-
你检查过这个答案吗? - stackoverflow.com/a/49164922/2858407
-
@stop-cran 这个答案与我无关,因为如果我简单地更改证书并在客户端和服务器上启用 TLS1.2(使用注册表),我就可以使用 TLS1.2 ,并且我需要能够同时使用 TLS1.1 和 TLS1.2,具体取决于客户端