1
我开发了一个应用程序,它启动了几个使用SecurityMode.Message加密通信的WCF服务。WCF认证的SSL证书
它正在工作,但它非常复杂,因为我们必须生成一个SSL证书并将其放入特定存储区,服务器和客户端。
的问题是,将使用该程序的客户:
- 是不是在一个域(实际上,服务器肯定会在一个域中,而不是客户端
- 不想买一个证书
那么,什么是我最好的拍摄?我只需要对数据进行加密,我并不需要确保我连接到正确的主机。
我知道我米不在最好的情况,但应用程序将被一些特定的用户使用。
这里是我的代码的一部分,这使得连接:我删除了
string remoteAddress = String.Format("{0}://{1}:{2}", Tools.GetDescription(accessInfo.ServiceHost.Protocol), accessInfo.ServiceHost.HostName, accessInfo.PortNumber);
// avoid seralization/deserialization problems with large XML's
WSHttpBinding binding = new WSHttpBinding();
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.MaxReceivedMessageSize = int.MaxValue;
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.ReaderQuotas.MaxDepth = int.MaxValue;
binding.ReaderQuotas.MaxBytesPerRead = int.MaxValue;
binding.ReaderQuotas.MaxNameTableCharCount = int.MaxValue;
TimeSpan timeoutSpan = DateTime.Now.AddMinutes(30) - DateTime.Now;
binding.CloseTimeout = timeoutSpan;
binding.OpenTimeout = timeoutSpan;
binding.ReceiveTimeout = timeoutSpan;
binding.SendTimeout = timeoutSpan;
binding.ReliableSession.InactivityTimeout = timeoutSpan;
binding.MaxBufferPoolSize = int.MaxValue;
//we set the security type
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
ChannelFactory<TService> channelFactory = new ChannelFactory<TService>(binding, remoteAddress);
_service = channelFactory.CreateChannel();
请注意:
服务器端:
ServiceHost host = new ServiceHost(typeof(MyServiceType))
WSHttpBinding binding = new WSHttpBinding
{
ReaderQuotas = { MaxStringContentLength = int.MaxValue, MaxArrayLength = int.MaxValue, MaxDepth = int.MaxValue, MaxBytesPerRead = int.MaxValue, MaxNameTableCharCount = int.MaxValue },
MaxReceivedMessageSize = int.MaxValue
};
TimeSpan timeoutSpan = TimeSpan.FromMilliseconds(timeout);
binding.CloseTimeout = timeoutSpan;
binding.OpenTimeout = timeoutSpan;
binding.ReceiveTimeout = timeoutSpan;
binding.SendTimeout = timeoutSpan;
binding.ReliableSession.InactivityTimeout = timeoutSpan;
binding.MaxBufferPoolSize = int.MaxValue;
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
host.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, ConfigurationManager.AppSettings["Hostname"]);
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
host
.AddServiceEndpoint(services[port], binding, String.Format("http://localhost:{0}", port));
客户端部分关于我的自定义验证有一个更干净的代码
好吧,这正是我的想法。如果客户更喜欢没有加密并且不需要安装/支付证书(我不推荐他,但我需要知道) 并且:如果他们购买了证书,我有在这里检查吗?我想有些证书只能用于http,否? – J4N
SSL服务器证书将起作用。如果您想制作自己的定制解决方案,则由您决定。你必须在传递它之前加密邮件内容并在收到邮件之后解密它 - 可能是自定义邮件检查器或自定义通道/编码器。您必须找到一种方法来安全地存储加密密钥(这正是证书的作用)。 –
谢谢,另一个问题:如果只能通过客户网络访问服务器,该怎么办?我的意思是,对于可信的出版商?我们可以获得内部网络名称或私有IP的合法SSL证书吗? – J4N