WCF net.tcp传输安全性-如何在客户端上禁用服务器证书验证 [英] WCF net.tcp transport security - how to disable server certificate validation on the client

问题描述

我正在使用WCF进行一些测试，目前我们具有以下服务器设置（简化的配置）：

I'm doing some testing with WCF and we currently have the following Server setup (simplified config):

<netTcpBinding>
  <binding name="netTcp" ... >
     <security mode="Transport">
        <transport clientCredentialType="None"/>
     </security>
  </binding>
</netTcpBinding>

...

<serviceBehaviors>
    <behavior name="defaultServiceBehavior">
        <serviceCredentials>            
           <serviceCertificate 
                    findValue="OurCert" 
                    storeLocation="LocalMachine" 
                    storeName="My" 
                    x509FindType="FindBySubjectName"/>                      
        </serviceCredentials>
    </behaviour>
</serviceBehaviors>

以及以下客户端配置：

<endpointBehaviors>
    <behavior name="NoRevNoValid">
        <clientCredentials>
            <serviceCertificate>
                <authentication certificateValidationMode="None"
                                revocationMode="NoCheck"/>
            </serviceCertificate>
       </clientCredentials>
    </behavior>
</endpointBehaviors>

所以，想法是服务器证书用于加密数据，但客户端可以

So, the idea is that the server certificate is used to encrypt the data, but that the Client does not bother to validate the certificate (the client won't have the CA for the certificate anyway).

但是，此配置不会阻止客户端验证证书。

However, this configuration does not stop the client from validating the certificate. It still tries to walk the chain of trust and look for revocation lists.

我发现此链接声明certificateValidationMode属性不适用于net.tcp绑定。

我已经看过处理 ServicePointManager.ServerCertificateValidationCallback 事件，但同样看来，这仅适用于基于Http的绑定。

I have looked at handling the ServicePointManager.ServerCertificateValidationCallback event, but again it appears that this only applies to Http-based bindings.

大概都是因为使用net.tcp绑定时，传输安全性超出了应用程序的范围？

Presumably these are both because when using the net.tcp binding, the transport security is handled out of scope of the application?

是否还有其他用途

推荐答案

经过大量测试后，似乎该链接说明了certificateValidationMode属性不适用于net.tcp绑定是错误的！

After much testing, it appears that the link stating that the certificateValidationMode attribute does NOT apply to net.tcp bindings is WRONG!

此选项仍然适用于net .tcp绑定。

This option still applies to net.tcp bindings.

但是，用于net.tcp传输安全性的证书仍会加载，并且仍在尝试解决其CA和CRL。我正在使用的证书同时包含CRL和CA的URL，因此即使WCF配置随后说忽略该证书是否无效，证书存储也会每次都去解析这些URL（URL不可用）。

However, the certificate used for the net.tcp transport security is still loaded and it's CAs and CRLs are still attempted to be resolved. The certificate I was using contained URLs for both CRL and CAs so the cert store was going off to resolve these each time (the URLs were unavailable) even though the WCF config was then saying to ignore whether the certificate was invalid.

因此，答案是WCF配置certificateValidationMode仍然适用，只是证书存储区仍将解析证书。对于大多数人来说，这应该不是一个大问题，但是我将对证书所具有的URL进行一些进一步的测试，因为这些URL在连接过程中引起了我们严重的延迟问题。

So the answer is that the WCF config certificateValidationMode does still apply, its just that the certificate will still be "resolved" by the cert store. This should not be a huge issue for most people, but I am going to do some further tests regarding the URLs that the certificate has because these are causing us major latency issues during connection.

这篇关于WCF net.tcp传输安全性-如何在客户端上禁用服务器证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！