根据验证过程，远程证书无效 [英] The remote certificate is invalid according to the validation procedure

问题描述

我正在开发一个WCF服务（NetTcpBinding），它工作正常没有安全。我们从DigiCert购买了一个证书，并将其安装在服务器上并配置了DigicertUtil.exe。也安装在测试客户端计算机上。

打开安全性我可以从我的dev电脑连接到它，没有问题。

服务器配置：

  binding.Security.Mode = SecurityMode.Transport; 
 binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate; 
 binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign; 
 ServerHost.Credentials.ServiceCertificate.SetCertificate（
 StoreLocation.LocalMachine，
 StoreName.My，
 X509FindType.FindBySubjectName，
 Properties.Settings.Default.CertificateName）; 
  

客户端配置：

 < binding name =EndPointTCPcloseTimeout =00:01:00openTimeout =00:01:00
 receiveTimeout =00:10:00sendTimeout = 01:00transactionFlow =false
 hostNameComparisonMode =StrongWildcardmaxBufferPoolSize =1610612736
 maxReceivedMessageSize =1610612736> 
< readerQuotas maxDepth =32maxStringContentLength =2147483647
 maxArrayLength =2147483647maxBytesPerRead =4096maxNameTableCharCount =16384/> 
< reliableSession ordered =falseinactivityTimeout =00:10:00enabled =false/> 
< security mode =运输> 
< transport clientCredentialType =CertificateprotectionLevel =EncryptAndSign/> 
< / security> 
< / binding> 
 
< behaviors> 
< endpointBehaviors> 
< behavior name =behavior_ServerService> 
< clientCredentials> 
< clientCertificate findValue =*。domain.com
 storeLocation =LocalMachine
 storeName =My
 x509FindType =FindBySubjectName/& 
< / clientCredentials> 
< / behavior> 
< / endpointBehaviors> 
< / behaviors> 
 
< client> 
< endpoint address =net.tcp：//clients.domain.com：10001 / Server / ServerService
 binding =netTcpBindingbindingConfiguration =EndPointTCPcontract =ServerServiceReference.IServerWS
 name =EndPointTCPbehaviorConfiguration =behavior_ServerService> 
< identity> 
< dns value =*。domain.com/> 
< / identity> 
< / endpoint> 
< / client> 
  

（我修改了域名和服务名称以保护客户的隐私。）

尝试从任何其他计算机尝试在客户端上收到以下错误：

套接字连接中止。这可能是由于处理您的消息时出错，或远程主机超出了接收超时或基础网络资源问题。本地套接字超时为'00：00：59.9840000'。

远程主机强制关闭现有连接

登录服务器上说：

根据验证程序，远程证书无效。

这是非常奇怪的，因为我在服务器和客户端上使用相同的证书...（而不是提到它的工作良好的dev pc ...） / p>

即使我设置

  ServerHost，错误消息是一样的。 Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; 
  

在服务器上和

  ServiceClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; 
  

。

有人能告诉我如何正确做到吗？当然，我不想使用解决方法，如验证回调返回总是true或上述非验证模式。

任何帮助将不胜感激。只有这个小的问题应该解决才能释放... :(

提前多谢！

Hudgi

解决方案

听起来你试图使用相同的证书作为服务器和客户端证书，即使您设置了X509CertificateValidationMode.None，主机名也必须匹配，如果您的开发机器与服务器相同，那么它肯定会成功。

您是否故意试图通过SSL向服务器进行身份验证，或者您是否只是尝试使用证书颁发机构向客户端建立信任？

我还怀疑你的证书可能不是真正的通配符证书，如果这是你运气使用该证书的客户端身份验证的情况下。

I'm developing a WCF service (NetTcpBinding) and it works just fine without security. We bought a certificate from DigiCert and installed it on the server and configured with DigicertUtil.exe. Also installed on the test client machines.

Turning on the security I'm able to connect to it from my dev PC without problems.

Server config:

   binding.Security.Mode = SecurityMode.Transport;
   binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
   binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;
   ServerHost.Credentials.ServiceCertificate.SetCertificate(
              StoreLocation.LocalMachine,
              StoreName.My,
              X509FindType.FindBySubjectName,
              Properties.Settings.Default.CertificateName);

Client config:

 <binding name="EndPointTCP" closeTimeout="00:01:00" openTimeout="00:01:00"
              receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false"
              hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="1610612736"
              maxReceivedMessageSize="1610612736">
              <readerQuotas maxDepth="32" maxStringContentLength="2147483647"
                maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="false" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Transport">
                <transport clientCredentialType="Certificate"  protectionLevel="EncryptAndSign"/>
              </security>
            </binding>

    <behaviors>
          <endpointBehaviors>
            <behavior name="behavior_ServerService">
              <clientCredentials>
                <clientCertificate findValue="*.domain.com"
                          storeLocation="LocalMachine"
                          storeName="My"
                          x509FindType="FindBySubjectName" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>

<client>
  <endpoint address="net.tcp://clients.domain.com:10001/Server/ServerService"
    binding="netTcpBinding" bindingConfiguration="EndPointTCP" contract="ServerServiceReference.IServerWS"
    name="EndPointTCP" behaviorConfiguration="behavior_ServerService">
    <identity>
      <dns value="*.domain.com" />
    </identity>
  </endpoint>
</client>  

(I modified the domain and service name to keep privacy of the customer.)

Trying it from any other computers I receive the following error on clients:

The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9840000'.

An existing connection was forcibly closed by the remote host

The trace log on the server says:

The remote certificate is invalid according to the validation procedure.

Which is very strange because I use the same certificate on both the sever and the client... (and not to mention the dev pc from which it's working well...)

The error message is the same even if I set

ServerHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the server and

ServiceClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the client.

Could anybody tell me how to do it correctly? Of course I do not want to use workarounds like validation callback returning always true or the above non-validated mode.

Any help would be appreciated. Only this 'little' problem should be solved to be able to release... :(

Thanks a lot in advance!

Hudgi

解决方案

It sounds like you are trying to use the same certificate as both a server and client certificate and that your clients do not have the same hostname that the certificate was issued to. Even if you set X509CertificateValidationMode.None, the hostnames must match. If your development machine was the same as the server it would most certainly succeed.

Are you intentionally trying to make clients authenticate to the server over SSL, or are you just trying to establish trust from your clients with the certificate authority?

I also suspect your certificate may not really be a wildcard certificate, if thats the case you are out of luck with using that cert for client authentication.

这篇关于根据验证过程，远程证书无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！