SSL客戶端/服務器相互認證

Question

你好我正在嘗試在C＃中使用服務器和客戶端證書進行雙向認證的SSL客戶端/服務器通信。受管辦SSL通信僅使用服務器證書，在客戶端上我以某事物那樣：

TcpClient client = new TcpClient(machineName, port); 
//Create an SSL stream that will close the client's stream. 
    SslStream sslStream = new SslStream(
    client.GetStream(), 
    false, 
    new RemoteCertificateValidationCallback(ValidateServerCertificate), 
    null 
    ); 
try 
{ 
    // The server name must match the name on the server certificate. 
    sslStream.AuthenticateAsClient(serverName); 
} 
catch (AuthenticationException e) 
{ 
    Console.WriteLine("Exception: {0}", e.Message); 
    if (e.InnerException != null) 
    { 
     Console.WriteLine("Inner exception: {0}", e.InnerException.Message); 
    } 
    Console.WriteLine("Authentication failed - closing the connection."); 
    client.Close(); 
    return; 
} 

我想我需要使用

AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) 

方法，我是corrent？任何人都可以告訴我如何使用它，甚至在服務器端，或者指向一個基本的例子？

非常感謝。

Answer 1

1. 你需要一個X509自證書，創造簡單，下載pluralsight self cert
2. 生成證書，如image
3. 創建新的網站，有選擇WCF服務。
4. 添加解決方案的新控制檯應用程序，以測試我們的服務。

5. 在服務web.config中把配置：

   <?xml version="1.0"?> 
   <configuration> 
   <system.serviceModel> 
   <behaviors> 
       <serviceBehaviors> 
        <behavior name="ServiceCredentialsBehavior"> 
         <serviceCredentials> 
          <serviceCertificate findValue="cn=cool" storeName="TrustedPeople" storeLocation="CurrentUser" /> 
         </serviceCredentials> 
         <serviceMetadata httpGetEnabled="true" /> 
        </behavior> 
       </serviceBehaviors> 
   </behaviors> 
   <services> 
       <service behaviorConfiguration="ServiceCredentialsBehavior" name="Service"> 
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="MessageAndUserName" name="SecuredByTransportEndpoint" contract="IService"/> 
       </service> 
   </services> 
   <bindings> 
       <wsHttpBinding> 
        <binding name="MessageAndUserName"> 
         <security mode="Message"> 
          <message clientCredentialType="UserName"/> 
         </security> 
        </binding> 
       </wsHttpBinding> 
   </bindings> 
   <client/> 
   

6. 在服務類中，刪除現有的方法和添加：

   公共字符串TestAccess（）{ 返回OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name; }

7. 在IService刪除數據合同，刪除操作合同，並添加新的經營合同：

   [OperationContract的]
   公共字符串TestAccess（）;

8. 運行服務和客戶端應用程序中添加服務引用到我們的服務

9. 客戶端配置：

   <?xml version="1.0" encoding="utf-8"?> 
   <configuration> 
       <system.serviceModel> 
       <behaviors> 
       <endpointBehaviors> 
        <behavior name="LocalCertValidation"> 
         <clientCredentials> 
          <serviceCertificate> 
           <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" /> 
          </serviceCertificate> 
         </clientCredentials> 
        </behavior> 
       </endpointBehaviors> 
   </behaviors> 
   <bindings> 
       <wsHttpBinding> 
        <binding name="WSHttpBinding_IService" > 
         <security mode="Message"> 
          <message clientCredentialType="UserName" /> 
         </security> 
        </binding> 
       </wsHttpBinding> 
   </bindings> 
   <client> 
       <endpoint address="your service addresss" 
          binding="wsHttpBinding" 
          bindingConfiguration="WSHttpBinding_IService" 
          contract="ServiceReference1.IService" 
          name="WSHttpBinding_IService" behaviorConfiguration="LocalCertValidation"> 
        <identity> 
         <dns value ="cool" /> 
        </identity> 
       </endpoint> 
   </client> 
   

10. 客戶端代碼：

    ServiceClient客戶端=新ServiceClient（）;
    client.ClientCredentials.UserName.UserName =「Your windows user」;
    client.ClientCredentials.UserName.Password =「您的windows用戶密碼」;
    Console.WriteLine（client.TestAccess（））;
    控制檯。的ReadLine（）;
    

11. ，如果你不想使用Windows登錄/密碼，您必須創建一個自定義用戶/ passwd文件驗證->msdn：
    問候，
    
    的Sergiu。

Answer 2

static void HTTPSClient() 
{ 
    try 
    { 
     string message = "GET/HTTP/1.0\r\nHost: host.com\r\n\r\n"; 

     byte[] data = System.Text.Encoding.ASCII.GetBytes(message); 

     string server = "host.com"; 
     int nPort = 443; 
     TcpClient client = new TcpClient(server, nPort); 

     X509Certificate2Collection cCollection = new X509Certificate2Collection(); 
     cCollection.Add(new X509Certificate2("cert.pfx", "password")); 


     using (SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null)) 
     { 
      // Add a client certificate to the ssl connection 
      sslStream.AuthenticateAsClient(server, cCollection, System.Security.Authentication.SslProtocols.Default, true); 

      sslStream.Write(data, 0, data.Length); 

      data = new Byte[8192]; 
      int bytes = 0; 
      string responseData = ""; 

      do 
      { 
       bytes = sslStream.Read(data, 0, data.Length); 
       if (bytes > 0) 
       { 
        responseData += System.Text.Encoding.ASCII.GetString(data, 0, bytes); 
       } 
      } 
      while (bytes > 0); 

      Console.WriteLine("Response: " + responseData); 
     } 

     // Disconnect and close the client 
     client.Close(); 
    } 
    catch (Exception ex) 
    { 
     Console.WriteLine("Error: " + ex.ToString()); 
    } 
} 

public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) 
{ 
    if (sslPolicyErrors == SslPolicyErrors.None) 
     return true; 

    Console.WriteLine("Certificate error: {0}", sslPolicyErrors); 

    // Do not allow this client to communicate with unauthenticated servers. 
    return false; 
}