使用X509Certificates保护WCF服务

Question

我正在研究的场景涉及到一个ASP.NET web应用程序，它与一个使用netTcpBinding的自托管WCF服务通信。这两个组件托管在不同的机器上。web服务器是DMZ中的独立机器，与应用服务器没有信任关系。

我希望通信在运输层得到保护。正如我所理解的，如果客户端和应用服务器都安装了合适的X509证书，它们可以相互认证，数据交换也可以加密。

我提供了一个带有ClientAuthentication证书的web服务器和一个ServerAuthentication证书的应用服务器。在每种情况下，证书都存储在LocalMachine\My存储中。我已经确保所有证书都可以使用私钥，并且应用池标识和BUILTIN\本地标识(分别在web和app服务器上)可以完全访问私钥。我还将证书的公钥部分(即.cer文件)复制到另一个服务器上的LocalMachine\TrustedPeople存储中。

配置如下所示：

应用服务器

<services>
  <service behaviorConfiguration="DefaultServiceBehavior" name="Evs.Application.Services.XXXXXProvider">
    <endpoint address="net.tcp://localhost:8000/Evs.Application.Services/XXXXXServiceCert"
              binding="netTcpBinding" bindingConfiguration="SecureCertificateNetTcpBinding" contract="Evs.Application.Contracts.IXXXXXProvider"
              behaviorConfiguration="endpointBehavior"/>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="DefaultServiceBehavior">
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxx"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
    <binding name="SecureNetTcpBinding">
      <security mode="Transport" />
    </binding>
    <binding name="SecureCertificateNetTcpBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>

网络服务器

<client>
  <endpoint address="net.tcp://app-ext-01.prod.mydomain.com:8000/Evs.Application.Services/XXXXXServiceCert"
            behaviorConfiguration="secureEndPointBehaviour" binding="netTcpBinding"
            bindingConfiguration="SecureCertificateNetTcpBinding" contract="Evs.Application.Contracts.IXXXXXProvider"
            name="XXXXXProvider"/>
<client>
<behaviors>
  <endpointBehaviors>
    <behavior name="secureEndPointBehaviour">
      <clientCredentials>
        <clientCertificate findValue= "xxxxxxxxxxxxxxxxxxx"
         storeLocation="LocalMachine" storeName="My"
         x509FindType="FindByThumbprint"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<bindings>
  <netTcpBinding>
    <binding name="SecureCertificateNetTcpBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>

在我用来测试这个的暂存环境中，除了下面的例外(从服务器端日志中检索到)之外，对服务的调用都会失败。

System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9840000'. ---> System.IO.IOException: The read operation failed, see inner exception. ---> 
System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9840000'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
   at System.ServiceModel.Channels.SocketConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionStream.Read(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   --- End of inner exception stack trace ---
   at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.Read(Byte[] buffer, Int32 offset, Int32 count)
   at System.ServiceModel.Channels.StreamConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
   --- End of inner exception stack trace ---

有人能建议我需要对这个配置做些什么才能让它正常工作吗？

Answer 1

我相信你失踪了：

服务器端

<serviceCredentials>
  <clientCertificate>
    <authentication certificateValidationMode="PeerTrust" />
  </clientCertificate>
</serviceCredentials>

客户端

<clientCredentials>
  <serviceCertificate>
    <authentication certificateValidationMode="PeerTrust" />
  </serviceCertificate>
</clientCredentials>