【问题标题】:Assigned client certificate is ignored when TLS connection established建立 TLS 连接时忽略分配的客户端证书
【发布时间】:2017-05-26 17:39:57
【问题描述】:

在这个问题Connecting to a Web Service using Client Certificate authentication 中,我正在尝试使用服务器管理员提供的客户端证书从 c# 调用 SOAP Web 服务。就像在那个问题中一样,我可以在浏览器中使用提供的证书访问 Web 服务(他使用 CURL,我可以使用 IE 但不能使用 FF)。我已经确定在浏览器和下面的代码中使用了相同的证书,并且服务器支持 TLS 1.2,这与链接问题不同——这是唯一让我的问题与众不同的原因。

证书已导入MyRoot 存储,我可以确定在调用 WS 方法之前已找到它并将其分配给 WS 对象实例。

但在跟踪中我可以看到它被忽略了:

System.Net 信息:0:[5928] TlsStream#11958757::.ctor(host=wsuat.domain.com, #certs=0)

我使用的代码非常简单,我从以前的开发人员那里继承了它,并在大约 1 年前被告知它“曾经可以工作”。注释掉证书分配行后,它在本地可以正常工作,但是一旦我尝试打开双向 SSL 访问服务器上的 WS,它就会失败:

using (ASoapClient client = new ASoapClient())
{
    try
    {
        //ServicePointManager.Expect100Continue = true;
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

        client.ClientCredentials.ClientCertificate.SetCertificate(
             StoreLocation.LocalMachine
            ,StoreName.Root // also can load from .My
            ,X509FindType.FindBySerialNumber // also can find by SubjectName
            ,"FA33.........................634"
        );
        SubmitResult rr = client.Submit(req);
    }
    catch(Exception ex)
    {
        MessageBox.Show(ex.Message, "Error submitting");
    }
}

当我将 Expect100Continue 设置为 true 时,出现以下异常:

System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://wsuat.domain.com/wsuat/ws.asmx.
This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. 
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. 
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

当我将其注释掉时,我得到以下信息:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'wsuat.domain.com'.
---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

【问题讨论】:

    标签: c# x509certificate tls1.2


    【解决方案1】:

    正如经常发生的那样,当我完全绝望地问这个问题时,答案就找到了。在MSDN 中查找basicHttpBinding 安全模式,发现提到了传输clientCredentialType 属性。

    一旦我添加了transport 元素并将其设置为Certificate,如下所示,一切正常:

      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    

    【讨论】:

      猜你喜欢
      • 2018-07-30
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2019-10-25
      • 2023-02-13
      • 2017-06-27
      • 1970-01-01
      相关资源
      最近更新 更多