0

我正在寻找关于我正在尝试做的事情是否得到支持的明确答案。

基本上,我使用 WCF 流式传输大型 MTOM 附件(200 Mb),这工作得很好。该服务的安全要求是使用 HTTPS 和基于证书的身份验证。我可以通过 HTTPS 运行服务而没有任何问题,但是一旦我将 IIS 设置为“接受客户端证书”或“需要客户端证书”(代码中没有更改),就会引发以下错误(但只有在附件结束后80 Mb 左右):

The socket connection was aborted. 
This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. 
Local socket timeout was '00:30:00'.

我找到了一些资源,很抱歉现在找不到它们,这表明失败可能与传入消息无法数字签名或由于消息内容的流式传输性质而无法验证有关。我相信该服务必须对整个消息内容进行散列以验证证书,但这无法实现,因为在尝试进行验证时,部分消息正在传输中。

我已经设置了消息契约,以便正文是单个 Stream 元素,而其他元素包含在标头中:

   <MessageContract()>
Public Class StreamAttachmentRequest

    <MessageHeader(MustUnderstand:=True)>
    Public Property AttachmentName As String

    <MessageBodyMember(Order:=1)>
    Public Property Attachment As Stream

End Class

服务配置如下所示:

<system.serviceModel>

<!-- BINDING -->
<bindings>
<basicHttpBinding>
  <binding name="TestCaseBasicBinding"
           messageEncoding="Mtom"
           transferMode="StreamedRequest"
           maxReceivedMessageSize="2147483647"
           closeTimeout="00:30:00"
           openTimeout="00:30:00"
           receiveTimeout="00:30:00"
           sendTimeout="00:30:00">
    <security mode="Transport">
      <transport clientCredentialType="None"></transport>
    </security>
    <readerQuotas maxDepth="32"
                      maxStringContentLength="8192"
                      maxArrayLength="16384"
                      maxBytesPerRead="4096"
                      maxNameTableCharCount="16384" />
  </binding>
</basicHttpBinding>
</bindings>

<!-- BEHAVIORS -->
<behaviors>
  <serviceBehaviors>

    <!-- TEST CASE SECURE BEHAVIOR -->
    <behavior name="TestCaseSecureBehavior">
      <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <serviceCredentials>
        <serviceCertificate
            storeLocation="LocalMachine"
            storeName="My"
            findValue="DistinguishedNameOfCert"
            x509FindType="FindBySubjectDistinguishedName" />
        <clientCertificate>
          <authentication certificateValidationMode="ChainTrust"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior>

  </serviceBehaviors>
</behaviors>

<!-- SERVICES -->
<services>
  <service name="StreamingMutualAuthTestCase.Web.Service.TestCaseServiceImplementation" 
           behaviorConfiguration="TestCaseSecureBehavior">
    <!-- SERVICE -->
    <endpoint address=""
              binding="basicHttpBinding"
              bindingConfiguration="TestCaseBasicBinding"
              contract="StreamingMutualAuthTestCase.Web.Service.ITestCaseService" />

    <endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />

  </service>
</services>    

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

客户端配置如下所示:

 <system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="BasicHttpBinding_ITestCaseService" closeTimeout="00:30:00"
                openTimeout="00:30:00" receiveTimeout="00:30:00" sendTimeout="00:30:00"
                maxReceivedMessageSize="2147483647" messageEncoding="Mtom"
                transferMode="Streamed">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Transport">
                    <transport clientCredentialType="Certificate" realm="" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>

  <!-- BEHAVIORS -->
  <behaviors>
    <endpointBehaviors>
      <behavior name="SecureClientBehavior">
        <clientCredentials>
          <clientCertificate
            storeLocation="LocalMachine"
            storeName="My"
            findValue="DistinguishedNameOfCert"
            x509FindType="FindBySubjectDistinguishedName"/>
          <serviceCertificate>
            <authentication certificateValidationMode="ChainTrust"/>
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>

    <client>
        <endpoint address="https://test7/TestCaseService/TestCaseService.svc" 
                  binding="basicHttpBinding" 
                  bindingConfiguration="BasicHttpBinding_ITestCaseService"
                  contract="TestCaseService.ITestCaseService" 
                  name="BasicHttpBinding_ITestCaseService" 
                  behaviorConfiguration="SecureClientBehavior"/>
    </client>
</system.serviceModel>

再一次,在我将 IIS 客户端证书设置为接受或要求之前,这将正常工作。

此外,IIS 日志中有 413 错误...

2011-08-18 15:00:06 W3SVC1 10.39.8.111 POST /TestCaseService/TestCaseService.svc - 443 - 10.75.13.81 - - - test7 413 0 0

我已经在我的文件上传服务之上设计了一个身份验证服务来解决这些问题;但我真的很想知道我正在尝试做的事情是否“可行”。

非常感谢 - 帕特里克

4

1 回答 1

2

如果您想在 IIS 中打开客户端证书,您必须对您的服务(和客户端)执行相同操作:

<security mode="Transport">
  <transport clientCredentialType="Certificate" />
</security>

您的客户端必须向代理提供证书:

yourProxy.ClientCredentials.ClientCertificate.SetCertificate(...);

此外,您的服务器必须信任这些证书,因此客户端证书必须由服务器信任的证书颁发机构颁发,或者必须直接安装到 LocalMachine\Trusted people 存储在服务器上。

WCF 端点不支持“接受客户端证书” - 您必须使用客户端证书或不使用。

于 2011-08-17T14:57:08.480 回答