问题描述

我正在开发一个WCF服务（NetTcpBinding），它工作正常没有安全。我们从DigiCert购买了一个证书，并将其安装在服务器上并配置了DigicertUtil.exe。也安装在测试客户端计算机上。

打开安全性我可以从我的dev电脑连接到它，没有问题。

服务器配置：

  binding.Security.Mode = SecurityMode.Transport; 
 binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate; 
 binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign; 
 ServerHost.Credentials.ServiceCertificate.SetCertificate（
 StoreLocation.LocalMachine，
 StoreName.My，
 X509FindType.FindBySubjectName，
 Properties.Settings.Default.CertificateName）; 
  

客户端配置：

 < binding name =EndPointTCPcloseTimeout =00:01:00openTimeout =00:01:00
 receiveTimeout =00:10:00sendTimeout = 01:00transactionFlow =false
 hostNameComparisonMode =StrongWildcardmaxBufferPoolSize =1610612736
 maxReceivedMessageSize =1610612736> 
< readerQuotas maxDepth =32maxStringContentLength =2147483647
 maxArrayLength =2147483647maxBytesPerRead =4096maxNameTableCharCount =16384/> 
< reliableSession ordered =falseinactivityTimeout =00:10:00enabled =false/> 
< security mode =运输> 
< transport clientCredentialType =CertificateprotectionLevel =EncryptAndSign/> 
< / security> 
< / binding> 
 
< behaviors> 
< endpointBehaviors> 
< behavior name =behavior_ServerService> 
< clientCredentials> 
< clientCertificate findValue =*。domain.com
 storeLocation =LocalMachine
 storeName =My
 x509FindType =FindBySubjectName/& 
< / clientCredentials> 
< / behavior> 
< / endpointBehaviors> 
< / behaviors> 
 
< client> 
< endpoint address =net.tcp：//clients.domain.com：10001 / Server / ServerService
 binding =netTcpBindingbindingConfiguration =EndPointTCPcontract =ServerServiceReference.IServerWS
 name =EndPointTCPbehaviorConfiguration =behavior_ServerService> 
< identity> 
< dns value =*。domain.com/> 
< / identity> 
< / endpoint> 
< / client> 
  

（我修改了域名和服务名称以保护客户的隐私。）

尝试从任何其他计算机尝试在客户端上收到以下错误：

登录服务器上说：

The trace log on the server says:

Which is very strange because I use the same certificate on both the sever and the client... (and not to mention the dev pc from which it's working well...)

The error message is the same even if I set

ServerHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the server and

ServiceClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the client.

Could anybody tell me how to do it correctly? Of course I do not want to use workarounds like validation callback returning always true or the above non-validated mode.

Any help would be appreciated. Only this 'little' problem should be solved to be able to release... :(

Thanks a lot in advance!

Hudgi

It sounds like you are trying to use the same certificate as both a server and client certificate and that your clients do not have the same hostname that the certificate was issued to. Even if you set X509CertificateValidationMode.None, the hostnames must match. If your development machine was the same as the server it would most certainly succeed.

Are you intentionally trying to make clients authenticate to the server over SSL, or are you just trying to establish trust from your clients with the certificate authority?

I also suspect your certificate may not really be a wildcard certificate, if thats the case you are out of luck with using that cert for client authentication.

这篇关于根据验证过程，远程证书无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！