在我的WCF自托管WebService使用相互证书来验证客户端,我设置CertificateValidationMode = PeerTrust
,但它似乎被忽略,因为我仍然可以执行某些客户端的方法,至此我已删除相应的证书TrustedPeople
服务器商店。Wcf证书作为ClientCredentials
赫雷什宿主例如:
static void Main()
{
var httpsUri = new Uri("https://192.168.0.57:xxx/HelloServer");
var binding = new WSHttpBinding
{
Security =
{
Mode = SecurityMode.Transport,
Transport = {ClientCredentialType = HttpClientCredentialType.Certificate}
};
var host = new ServiceHost(typeof(HelloWorld), httpsUri);
//This line is not working
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode =X509CertificateValidationMode.PeerTrust;
host.AddServiceEndpoint(typeof(IHelloWorld), binding, string.Empty, httpsUri);
host.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
"server.com");
// Open the service.
host.Open();
Console.WriteLine("Listening on {0}...", httpsUri);
Console.ReadLine();
// Close the service.
host.Close();
}
的客户端应用程序:
static void Main(string[] args)
{
try
{
var c = new HelloWorld.HelloWorldClient();
ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
c.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
"client.com");
Console.WriteLine(c.GetIp());
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
Console.ReadKey();
}
我生成server.com和client.com与根CA证书。此RootCA证书安装在客户端和服务器的受信任根存储中。 现在的问题是,我不应该执行GetIp()
方法,如果我的client.com证书不在TrustedPeople存储的服务器,对不对?但即时执行它没有任何问题。
问题是,在这种情况下,如何验证客户端证书将其公钥置于服务器的TrustedPeople上?
ps:在this MSDN运输安全与客户端证书的文章,theres报价为The server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server.
但我可以从客户端执行webmethods,即使客户端证书没有在服务器TrustedPeople商店。