以下是简要摘要:我有一个WCF客户端(.NET 4.0),它在Windows7(64位)上运行良好,但在XP(32位)上失败。由于我有很多XP客户,这是一个巨大的问题。
- 客户端是根据服务提供商提供的wsdl文件生成的
- 服务是基于SSL的SOAP 1.2,带有MTOM
- 客户端证书在智能卡上(ActivIdentity)
这是代码:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
//System.Net.ServicePointManager.SecurityProtocol =System.Net.SecurityProtocolType.Tls;//.Ssl3;
EndpointAddress addr = new EndpointAddress(g2bservice);
B2GServiceClient client = new B2GServiceClient(NCTSBinding.Create(), addr);
client.ClientCredentials.ClientCertificate.Certificate = ccer; // one that is on SmartCard
client.Endpoint.Behaviors.Add(new MyCustomBehavior());
echo e = new echo();
e.Msg = "Hello, World!";
echoResponse r = client.echo(e);
这个绑定是这样创建的:
BindingElement[] be = new BindingElement[2];
be[0] = new NCTSMessageEncodingBindingElement();
HttpsTransportBindingElement hbe = new HttpsTransportBindingElement();
hbe.RequireClientCertificate = true;
be[1] = hbe;
CustomBinding _b = new CustomBinding(be);
return _b;
其中NCTSMessageEncodingBinding与具有overridenIsContentTypeSupported(...)的MtomMessageEncoding Binding大致相同。
所以,这个代码在Win7上有效,对话框要求输入PIN以从智能卡中获取"私人部件"。在XP上,输入PIN的对话框从未发出,而是出现错误消息:
"An error occurred while making the HTTP request to https://cistest.apis-it.hr:8446/g2bservis. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."
有线索吗?XP和Win7在支持基础设施方面有什么不同?
小更新:请注意工作和非工作跟踪日志中不同的粗体行。出于某种原因,在Windows7机器上,初始消息中包含服务名称(cistest.apis-it.hr),而在XP上,此信息丢失。此消息之后,XP上的套接字关闭
Windows 7,工作示例(相同代码):System.Net信息:0:[3748]SecureChannel#23960260-证书类型为X509Certificate2,包含私钥。System.Net信息:0:[3748]AcquireCredentialsHandle(package=Microsoft统一安全协议提供程序,intent=Outbound,scc=System.Net.SecureCredential)System.Net信息:0:[3748]InitializeSecurityContext(凭据=System.Net.SafeFreeCredential_SECURITY,上下文=(null),targetName=cistest.apis-it.hr,inFlags=ReplayDetect,SequenceDetect,机密性,AllocateMemory,InitManualCredValidation)System.Net信息:0:[3748]InitializeSecurityContext(缓冲区内长度=0,缓冲区外长度=122,返回代码=ContinueNeeded)。System.Net.Sockets详细:0:[3748]套接字#46340781::Send()System.Net.Sockets详细:0:[3748]来自套接字#46340781::发送的数据System.Net.Sockets详细信息:0:[3748]00000000:16 03 01 00 75 01 00 00-71 03 01 4E 67 4E 6A 26:。。。。u…q.NgNj&System.Net.Sockets详细:0:[3748]00000010:C6 C9 65 17 D7 EC C1 A1-15 72 E1 56 80 F4 5A BB:。。e……r.V.Z。System.Net.Sockets详细:0:[3748]00000020:A8 4C 50 54 84 D4 3E 86-29 68 CA 00 18 00 2F:.LPT..>.)h/System.Net.Sockets详细:0:[3748]00000030:00 35 00 05 00 0A C0 13-C0 14 C0 09 C0 00 32:.5…………..2System.Net.Sockets详细:0:[3748]00000040:00 38 00 13 00 04 01 00-00 30 FF 01 00 01 00 00:.8……..0。。。。。。System.Net.Sockets详细:0:[3748]00000050:00 00 17 00 15 00 12-63 69 73 74 65 73 74 2E:。。。。。。。。药剂师。System.Net.Sockets详细:0:[3748]00000060:61 70 69 73 2D 69 74 2E-68 72 00 0A 00 06 00 04:api-it.hr……System.Net.Sackets详细:0:[3748]0000070:00 17 00 18 00 0B 00 02-01 00:。。。。。。。。。。System.Net.Sockets详细:0:[3748]正在退出套接字#46340781::Send()->122#122XP,不起作用的示例(相同代码):System.Net信息:0:[2272]SecureChannel#7307181-证书类型为X509Certificate2,包含私钥。System.Net信息:0:[2272]AcquireCredentialsHandle(package=Microsoft统一安全协议提供程序,intent=Outbound,scc=System.Net.SecureCredential)System.Net信息:0:[2272]InitializeSecurityContext(凭据=System.Net.SafeFreeCredential_SECURITY,上下文=(null),targetName=cistest.apis-it.hr,inFlags=ReplayDetect,SequenceDetect,机密性,分配内存,InitManualCredValidation)System.Net信息:0:[2272]InitializeSecurityContext(缓冲区内长度=0,缓冲区外长度=77,返回代码=ContinueNeeded)。System.Net.Sockets详细:0:[2272]套接字#3230890::Send()System.Net.Sockets详细:0:[2272]来自套接字#32308990::发送的数据System.Net.Sockets详细信息:0:[2272]00000000:16 03 01 00 48 01 00 00-44 03 01 4E 67 4E 1E C1:。。。。H.…D.NgN。。System.Net.Sockets详细:0:[2272]00000010:32 BD E0 57 87 A8 68 8B-32 77 00 18 DE 3F 69 3D:2.W.h.2w。。。?我=System.Net.Sockets详细信息:0:[2272]00000020:D7 B1 7B 76 AD 26 A6 63-6B BB 49 00 00 16 00 04:。。我。。。。。System.Net.Sockets详细:0:[2272]00000030:00 05 00 0A 00 09 00 64-00 62 00 03 00 06 00 13:。。。。。。。d.b。。。。。。System.Net.Sockets详细信息:0:[2272]00000040:00 12 00 63 01 00 05-FF 01 00 01 00:。。。cSystem.Net.Sockets详细信息:0:[2272]正在退出套接字#32308990::Send()->77#77System.Net.Sockets详细:0:[2272]套接字#3230890::Receive()System.Net.Sockets详细:0:[2272]来自套接字32308990::接收的数据System.Net.Sockets详细信息:0:[2272]00000000:15 03 01 00 02:。。。。。。。。System.Net.Sockets详细:0:[2272]正在退出套接字#32308990::Receive()->5#5System.Net.Sockets详细:0:[2272]套接字#3230890::Receive()System.Net.Sockets详细:0:[2272]来自套接字32308990::接收的数据System.Net.Sockets详细信息:0:[2272]0000000 5:02 28:。(System.Net.Sockets详细:0:[2272]正在退出套接字#32308990::Receive()->2#2System.Net.Sockets详细:0:[2272]套接字#3230890::Receive()System.Net.Sockets详细:0:[2272]来自套接字32308990::接收的数据System.Net.Sockets详细信息:0:[2272]0000000 7::System.Net.Sockets详细:0:[2272]正在退出套接字#32308990::Receive()->0#0System.Net.Sockets详细:0:[2272]套接字#3230890::Dispose()
经过一个月左右的努力解决这个问题,得出的结论是这个问题无法解决。至少它不能用本机.NET和操作系统支持来解决。对于微软来说,Windows XP显然太旧了,无法支持AES 256位加密、SHA 256位签名和RSA密钥交换。世界上有40%的用户仍在使用XP,所以这个决定真的很奇怪。
这样的支持被添加到Windows server 2003中(我曾尝试将schannel.dll和rsaenh.dll从2003添加到XP,取得了一些进展,但远非理想)。
官方高级技术支持的回答是:"目前情况看起来不太乐观,过去曾有另一位客户请求拥有KB文章948963的XP版本,但我们的产品组拒绝了这一请求。这些安全功能是在Vista中引入的,两个平台之间的6-7年差异使XP很难进行更改。">
因此,对于SOAP和WebServices,我不推荐.NET,至少对于不能同时控制双方的企业服务是不推荐的。
叹气!