SSL 上的 WCF 服务无法为具有权限 'test-service.hostname.com' 的 SSL/TLS 建立安全通道
WCF Service over SSL Could not establish secure channel for SSL/TLS with authority 'test-service.hostname.com'
我有问题。我们正在尝试通过所需的 SSL 将客户端证书附加到 WCF 服务。当我尝试通过浏览器导航到该服务时,它会显示 'You have created a service page' 但前提是我附加了证书,所以我认为这不是 IIS 问题。
我遇到过很多堆栈溢出问题,我想每次我都会取得一点进步。但是对于我的一生,我无法摆脱这个问题。我添加了日志记录,这是我看到的错误:
System.Net Information: 0 : [12444] SecureChannel#15775260 - Certificate
is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package =
Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [8000] Socket#13431269::Dispose()
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.ServiceModel Error: 131075 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/Application.TestHarness.Blah-1-130676061695261461</AppDomain><Exception><ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Could not establish secure channel for SSL/TLS with authority 'test-bolt.homesite.com'.</Message><StackTrace> at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
at Application.TestHarness.IntegrationService.QuickQuote()
服务配置:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="WebBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Service.Namwe" behaviorConfiguration="WebBehavior">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="transportSecurity"
contract="Service.IContract"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="transportSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
客户端配置:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="transportSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name ="defaultClientCertificate">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="hostname.com"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint name="boltService" behaviorConfiguration="defaultClientCertificate"
address="https://hostname.com/Service/Integration.svc"
binding="wsHttpBinding"
bindingConfiguration="transportSecurity"
contract="ServiceRef.IServiceContract" />
</client>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
如有任何建议,我们将不胜感激。
我明白我的问题是什么了。 运行 服务的应用程序池无权访问证书。我假设因为我将它固定在 IIS 中所有应用程序池都可以访问(不是这种情况)。万一有人发现这个并且有类似的问题,这里是我最终发现的问题以及修复它的方法。
https://msdn.microsoft.com/en-us/library/aa702621.aspx 如果您更喜欢 GUI 而不是 cmd 行工具,您也可以在 MMC 中执行此操作。
我遇到了同样的问题并用这段代码解决了问题;
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
或者试试这个代码
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
运行 visual studio 在管理员模式下为我解决了这个问题。
我有问题。我们正在尝试通过所需的 SSL 将客户端证书附加到 WCF 服务。当我尝试通过浏览器导航到该服务时,它会显示 'You have created a service page' 但前提是我附加了证书,所以我认为这不是 IIS 问题。
我遇到过很多堆栈溢出问题,我想每次我都会取得一点进步。但是对于我的一生,我无法摆脱这个问题。我添加了日志记录,这是我看到的错误:
System.Net Information: 0 : [12444] SecureChannel#15775260 - Certificate
is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package =
Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [8000] Socket#13431269::Dispose()
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.ServiceModel Error: 131075 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/Application.TestHarness.Blah-1-130676061695261461</AppDomain><Exception><ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Could not establish secure channel for SSL/TLS with authority 'test-bolt.homesite.com'.</Message><StackTrace> at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
at Application.TestHarness.IntegrationService.QuickQuote()
服务配置:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="WebBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Service.Namwe" behaviorConfiguration="WebBehavior">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="transportSecurity"
contract="Service.IContract"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="transportSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
客户端配置:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="transportSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name ="defaultClientCertificate">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="hostname.com"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint name="boltService" behaviorConfiguration="defaultClientCertificate"
address="https://hostname.com/Service/Integration.svc"
binding="wsHttpBinding"
bindingConfiguration="transportSecurity"
contract="ServiceRef.IServiceContract" />
</client>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
如有任何建议,我们将不胜感激。
我明白我的问题是什么了。 运行 服务的应用程序池无权访问证书。我假设因为我将它固定在 IIS 中所有应用程序池都可以访问(不是这种情况)。万一有人发现这个并且有类似的问题,这里是我最终发现的问题以及修复它的方法。 https://msdn.microsoft.com/en-us/library/aa702621.aspx 如果您更喜欢 GUI 而不是 cmd 行工具,您也可以在 MMC 中执行此操作。
我遇到了同样的问题并用这段代码解决了问题;
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
或者试试这个代码
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
运行 visual studio 在管理员模式下为我解决了这个问题。