c# - WCF net.tcp 与基于证书的消息安全性绑定(bind)但安全模式已关闭

Question

我有一个 WCF 服务和一个桌面客户端。我使用 net.tcp 绑定(bind)。我有自己的身份验证方法，但我希望对消息进行加密。所以我在双方都安装了相同的证书。我的配置如下:

<endpointBehaviors>
   <behavior name="CustomBehavior">
      <clientCredentials>
         <clientCertificate storeLocation="CurrentUser" storeName="Root" findValue="myCertificateIssuer" x509FindType="FindByIssuerName" />
      </clientCredentials>
   </behavior>
</endpointBehaviors>

...

<binding name="simpleTCP" closeTimeout="00:10:00" openTimeout="00:10:00"
  sendTimeout="00:10:00" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" >
  <security mode="None">
    <message clientCredentialType="Certificate"/>
  </security>
</binding>

我在服务器上也有相同的配置。该解决方案有效，但我不知道它是否真的加密了消息。我认为此配置关闭默认身份验证但仍加密 channel 是否正确？

提前致谢

Answer 1

详细说明初始响应

如果您想加密 channel ，请使用类似这样的绑定(bind)进行传输级加密:

<bindings>
  <netTcpBinding>
    <binding name="TestTcp">
      <security mode="Transport"> <!-- Channel -->
        <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>

要加密消息，使用类似这样的绑定(bind)进行消息级加密:

<bindings>
  <netTcpBinding>
    <binding name="TestTcp">
      <security mode="Message"> <!-- Message -->
        <message clientCredentialType="Certificate" algorithmSuite="Default" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>

您会注意到下面的节点 <security/>可以是<message/>或 <transport/> , 这应该与您选择的 mode 匹配. clientCredentialType设置为 Certificate使用您的服务证书进行加密。

"[To encrypt the channel] with netTcpBinding, when using Windows authentication, the binding uses the service’s Windows token to provide message protection. When using non-Windows authentication such as certificate authentication, you have to configure a service certificate as service credentials. The binding uses the service certificate for message protection."

"[To encrypt the message] when using Windows authentication, message security uses the service’s Windows token to provide message security. When using non-Windows authentication such as username, certificate, or issue token authentication, you have to configure a service certificate as service credentials. Message security uses the service certificate for message protection."

https://msdn.microsoft.com/en-us/library/ff648863.aspxhttps://msdn.microsoft.com/en-us/library/ff648863.aspx

希望这涵盖了所有基础，并让您使用该 x.509 证书加密您的消息或 channel 。