>如本问题 使用客户端证书身份验证连接到 Web 服务 我正在尝试使用服务器管理员提供的客户端证书从 c# 调用 SOAP Web 服务。就像在那个问题中一样,我可以使用浏览器中提供的证书访问 Web 服务(他使用 CURL,我可以使用 IE但不能使用 FF)。我已经确定在浏览器和下面的代码中使用相同的证书,并且服务器支持 TLS 1.2 与链接问题不同 - 这是使我的问题与众不同的唯一原因。
证书已导入到My和Root存储中,我可以确定在进行 WS 方法调用之前,它正在被找到并分配给 WS 对象实例。
但是在跟踪中,我可以看到它被忽略了:
System.Net 信息: 0 : [5928] TlsStream#11958757::.ctor(host=wsuat.domain.com, #certs=0)
我使用的代码非常简单,我从以前的开发人员那里继承了它,并被告知它在大约 1 年前"曾经工作过"。注释掉证书分配行后,它在本地工作正常,但是一旦我尝试在打开双向SSL的服务器上访问WS,它就会失败:
using (ASoapClient client = new ASoapClient())
{
try
{
//ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine
,StoreName.Root // also can load from .My
,X509FindType.FindBySerialNumber // also can find by SubjectName
,"FA33.........................634"
);
SubmitResult rr = client.Submit(req);
}
catch(Exception ex)
{
MessageBox.Show(ex.Message, "Error submitting");
}
}
当我将Expect100Continue设置为true时,出现以下异常:
System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://wsuat.domain.com/wsuat/ws.asmx.
This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
当我注释掉它时,我得到以下内容:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'wsuat.domain.com'.
---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
正如经常发生的那样,当我完全绝望地问这个问题时,答案就找到了。在MSDN中查找basicHttpBinding安全模式,发现提到了传输clientCredentialType属性。
添加transport元素并将其设置为Certificate后,如下所示,一切正常:
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>