如何告诉WCF跳过证书的验证？ [英] How do I tell WCF to skip verification of the certificate?

问题描述

尝试网络服务调用 HTTPS 端点在我的 Silverlight 应用程序导致出现此错误：无法找到匹配具有绑定WSHttpBinding的端点的方案https的基地址。注册的基地址方案是[http]

与此处发布的问题相同：

http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4c19271a-f5e6-4659 -9e06-b556dbdcaf82 /

所以，其中一个建议是：另一个问题可能是证书名称和机器名称不同意，这导致 WCF 适合。如果是这样，您可以告诉WCF跳过证书的验证。

很好，我做

以下是我设置客户端的方法：

  BasicHttpBinding binding = new BasicHttpBinding（）; 
 binding.Security.Mode = BasicHttpSecurityMode.Transport; 
 _ws = new AnnotationService.AnnotationClient（binding，new EndpointAddress（myAddress））; 
  

如何告诉WCF跳过验证？

解决方案

您可以在Silverlight中通过在Web服务器与Silverlight应用程序和远程WCF服务之间进行允许跨域通信实现此目的。

在这种情况下，您需要 clientaccesspolicy.xml 文件位于托管WCF服务的域的根目录：

 <？xml version =1.0encoding =utf-8？> 
< access-policy> 
< cross-domain-access> 
< policy> 
< allow-from http-request-headers =SOAPAction> 
< domain uri =http：// */> 
< / allow-from> 
< grant-to> 
< resource path =/include-subpaths =true/> 
< / grant-to> 
< / policy> 
< / cross-domain-access> 
< / access-policy> 
  

以下是 MSDN说明了这种方法：

允许通过HTTP应用程序托管的任何Silverlight控制台
访问HTTPS服务
，您需要将
的< domain uri =http：// /> *元素
放在您的 em>元素。

我没有尝试过这个，但它可能值得一试。另请务必查看以下资源以了解更多详情：

• 制作跨域边界服务


• 在Silverlight客户端中配置Web服务使用

---

在.NET中禁用X.509证书验证

对于.NET应用程序，此示例WCF配置将禁用证书是否受信任的验证，在客户端上仍然有效：

 < system.serviceModel> 
< behaviors> 
< endpointBehaviors> 
< behavior name =DisableServiceCertificateValidation> 
< clientCredentials> 
< serviceCertificate> 
< authentication certificateValidationMode =None
 revocationMode =NoCheck/> 
< / serviceCertificate> 
< / clientCredentials> 
< / behavior> 
< / endpointBehaviors> 
< / behaviors> 
< client> 
< endpoint address =http：// localhost / MyService
 behaviorConfiguration =DisableServiceCertificateValidation
 binding =wsHttpBinding
 contract =MyNamespace.IMyService
 name =MyServiceWsHttp/> 
 < /system.serviceModel> 
  

另一种解决方案是提供自定义逻辑以验证X.509证书由服务提供。在这种情况下，您将必须根据以下修改配置文件：

 < system.serviceModel> 
< behaviors> 
< endpointBehaviors> 
< behavior name =DisableServiceCertificateValidation> 
< clientCredentials> 
< serviceCertificate> 
< authentication certificateValidationMode =Custom
 customCertificateValidatorType =MyCertificateValidator，Client
 revocationMode =NoCheck/> 
< / serviceCertificate> 
< / clientCredentials> 
< / behavior> 
< / endpointBehaviors> 
< / behaviors> 
< client> 
< endpoint address =http：// localhost / MyService
 behaviorConfiguration =DisableServiceCertificateValidation
 binding =wsHttpBinding
 contract =MyNamespace.IMyService
 name =MyServiceWsHttp/> 
< / client> 
< /system.serviceModel> 
  

然后创建一个源自 X509CertificateValidator 来实现您的自定义验证逻辑。

  public class MyCertificateValidator：X509CertificateValidator 
 {
 public override void Validate（X509Certificate2 certificate）
 {
 //添加自定义验证逻辑
 //抛出异常以验证失败
} 
} 
  

，您可以在MSDN上找到更详细的示例。 p>

Trying to make a web service call to an HTTPS endpoint in my Silverlight application results in this error: "Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http]"

The same problem as was posted here:

http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4c19271a-f5e6-4659-9e06-b556dbdcaf82/

So, one of the suggestions was this: "The other issue might be that the cert name and the machine name don't agree, and this is causing WCF to have fits. If this is the case, you can tell WCF to skip verification of the cert."

Well, I do get a certificate error because this is just a demo server.

Here's how I set up my client:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
_ws = new AnnotationService.AnnotationClient(binding, new EndpointAddress(myAddress));

How can I tell WCF to skip the verification?

解决方案

You might be able to achieve this in Silverlight by allowing cross-domain communication between the web server the hosts the Silverlight application and the remote WCF service.

In that case you need to place a clientaccesspolicy.xml file at the root of the domain where the WCF service is hosted:

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="SOAPAction">
        <domain uri="http://*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Here's what MSDN states about this approach:

To allow access to an HTTPS service from any Silverlight control hosted over HTTP application, you need to put the <domain uri="http://" />* element inside your <allow-from> element.

I haven't tried this myself but it could be worth a shot. Also be sure to check out the following resources for more details:

• Making a Service Available Across Domain Boundaries
• Configuring Web Service Usage in Silverlight Clients

---

Disabling X.509 certificate validation in .NET

For .NET applications this sample WCF configuration will disable validation of both whether the certificate is trusted and whether it is still valid on the client:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="None"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

An alternative solution is to provide custom logic to validate the X.509 certificate provided by the service. In that case you will have to modifiy the configuration file according to the following:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="Custom"
                                    customCertificateValidatorType="MyCertificateValidator, Client"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

Then create a class that derives from X509CertificateValidator to implement your custom validation logic.

public class MyCertificateValidator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 certificate)
    {
        // Add custom validation logic
        // Throw an exception to fail validation
    }
}

As always, you can find a more detailed example up on MSDN.

这篇关于如何告诉WCF跳过证书的验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！