ASP.NET Core 2.1

时间:2018-04-18 22:12:13

标签: ssl soap asp.net-core

我正在尝试从4.6.1移植到ASP.NET Core 2.1.0-preview1。以下代码抛出异常“无法为具有权限的SSL / TLS安全通道建立信任关系'[service url]:447'

我是否错误地应用了客户端证书?

X509Certificate cert = X509Certificate2.CreateFromCertFile("C:\\mycert.cer");
X509Certificate2 cert2 = new X509Certificate2(cert);


var binding = new BasicHttpsBinding();
binding.Security.Mode = BasicHttpsSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var endpoint = new EndpointAddress(new Uri("https://[service url]"));
var channelFactory = new ChannelFactory<APIWebService>(binding, endpoint);
channelFactory.Credentials.ClientCertificate.Certificate = cert2;
var serviceClient = channelFactory.CreateChannel();
var result = serviceClient.getBatchesSinceGUID(new getBatchesSinceGUIDRequest("-1"));
channelFactory.Close();

FACTS

  1. 已知X509Certificate可以使用4.6.1代码;尽管如此,CORE版本使用的是X509Certificate 2
  2. 在4.6.1版本中,APIWebService代理是使用wsdl.exe生成的
  3. 在ASP.NET Core版本中,APIWebService代理是使用svcutil.exe生成的

    4. EXCEPTION STACKTRACE 

    System.ServiceModel.Security.SecurityNegotiationException
  HResult=0x80131500
  Message=Could not establish trust relationship for the SSL/TLS secure channel with authority '[server url]:447'.
  Source=System.Private.ServiceModel
  StackTrace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(HttpRequestException requestException, HttpRequestMessage request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpClientRequestChannel.HttpClientChannelAsyncRequest.<SendRequestAsync>d__13.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.ServiceModel.Channels.RequestChannel.<RequestAsync>d__33.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.ServiceModel.Channels.RequestChannel.<RequestAsyncInternal>d__32.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.TaskHelpers.WaitForCompletionNoSpin[TResult](Task`1 task)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(MethodCall methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(MethodInfo targetMethod, Object[] args)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Reflection.DispatchProxyGenerator.Invoke(Object[] args)
   at generatedProxy_1.getDispatchBatchesSinceUID(getDispatchBatchesSinceUIDRequest )
   at NCPA.NADS.Test.UnitTest1.AdsDownload_Test() in UnitTest1.cs:line 26

Inner Exception 1:
HttpRequestException: An error occurred while sending the request.

Inner Exception 2:
WinHttpException: A security error occurred

1 个答案:

答案 0 :(得分:1)

看起来可能是因为它没有提供私钥。 在进行共同证书身份验证时,双方都需要使用其公钥/私钥对来建立安全且经过适当身份验证的通道。

通常,.cer文件通常只包含证书本身,即公钥加上一些元数据和CA签名。私钥保存在证书存储区中(如果它是在本地生成/安装的)或.pfx文件(通常受密码保护或权限限制)。

如果使用.pfx文件执行此操作,而不是从本地证书存储区加载,请非常确定您执行以下操作:

  • 将文件的权限限制为只运行应用程序的帐户的权限,并且只允许使用私钥信任的管理员/开发人员进行读/写。
  • 如果是受密码保护的文件,请勿在代码中对密码进行硬编码或将其签入源代码管理。这完全违背了目的,你也可以不做HTTPS。任何可以查看您的代码和密钥文件的人都可以通过该帐户进行身份验证。
  • .pfx文件本身的相同注释 - 不要将其放在源代码管理中。
相关问题
最新问题