【发布时间】:2014-01-27 23:53:00
【问题描述】:
我正在尝试通过他们的 WSDL 创建到 Web 服务的连接。有人告诉我,该服务的身份验证被描述为通过交换证书进行身份验证的 TLS。我通过 Visual Studio 中的“添加服务引用”生成了客户端。当我发送命令时,我希望在 Wire Shark 中看到“握手”,但我什至看不到正在发送“Client Hello”启动。
这里描述了服务的身份验证: http://en.wikipedia.org/wiki/Transport_Layer_Security#Description
我的客户端是用 c# 编写的
这是我正在运行以测试连接的完整程序(它以 Run() 开头):
public class ClientExample
{
private const string Url =
"https://xxxxxxxxx";
public static void Run()
{
ServicePointManager.ServerCertificateValidationCallback += ValidateCertificate;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
PerformTest("Clear Cache", GetBinding());
}
private static Binding GetBinding()
{
var bec = new BindingElementCollection
{
new TextMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8),
new HttpsTransportBindingElement{ RequireClientCertificate = true }
};
return new CustomBinding(bec);
}
private static void PerformTest(string test, Binding binding)
{
try
{
Console.ResetColor();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(test);
Console.ResetColor();
var client = GetClient(binding);
SendMessage(client);
}
catch (Exception e)
{
DisplayError(e);
}
}
private static MyClient GetClient(Binding binding)
{
var endpointAddress = new EndpointAddress(Url);
var client = new MyClient(binding, endpointAddress);
if (client.ClientCredentials != null)
{
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName,
"xxxxxxxxxxxxx");
}
return client;
}
private static void SendMessage(ChargePointServiceClient client)
{
var response = client.clearCache("xxxxxxxxxxxxx", new ClearCacheRequest());
Console.WriteLine(ClearCacheDescription(response));
}
private static string ClearCacheDescription(ClearCacheStatus response)
{
switch (response)
{
case ClearCacheStatus.Accepted:
return "Accepted";
case ClearCacheStatus.Rejected:
return "Rejected";
}
return "Unkown";
}
private static bool ValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
switch (sslpolicyerrors)
{
case SslPolicyErrors.None:
return true;
case SslPolicyErrors.RemoteCertificateChainErrors:
DisplayWarningMessage("RemoteCertificateChainErrors");
return false;
case SslPolicyErrors.RemoteCertificateNameMismatch:
DisplayWarningMessage("RemoteCertificateNameMismatch");
return false;
case SslPolicyErrors.RemoteCertificateNotAvailable:
DisplayWarningMessage("RemoteCertificateNotAvailable");
return false;
default:
DisplayWarningMessage("Unkown Certificate Validation Error");
return false;
}
}
private static void DisplayError(Exception exception)
{
if (exception == null)
return;
Console.BackgroundColor = ConsoleColor.DarkRed;
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine(@"Exception");
Console.ResetColor();
Console.WriteLine(exception.Message);
if (exception.InnerException != null)
Console.WriteLine();
DisplayError(exception.InnerException);
}
private static void DisplayWarningMessage(string message)
{
Console.BackgroundColor = ConsoleColor.DarkYellow;
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine(message);
Console.ResetColor();
}
}
我在 app.config 中通过 system.diagnostic 记录了所有网络流量:
<system.diagnostics>
<sources>
<source name="System.Net">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Sockets">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Cache">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
</sources>
<switches>
<add name="System.Net" value="Verbose"/>
<add name="System.Net.Sockets" value="Verbose"/>
<add name="System.Net.Cache" value="Verbose"/>
</switches>
<sharedListeners>
<add name="System.Net"
type="System.Diagnostics.TextWriterTraceListener"
traceOutputOptions="None"
initializeData="network.log"
/>
</sharedListeners>
<trace autoflush="true"/>
</system.diagnostics>
以下是一些感兴趣的日志行:
这确认创建了一个 tls 流:
System.Net Information: 0 : [9040] TlsStream#50727427::.ctor(host=xxxxx, #certs=1)
创建了一个安全通道:
System.Net Information: 0 : [9040] SecureChannel#11159819::.ctor(hostname=xxxxxxx, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [9040] Enumerating security packages:
System.Net Information: 0 : [9040] Negotiate
System.Net Information: 0 : [9040] NegoExtender
System.Net Information: 0 : [9040] Kerberos
System.Net Information: 0 : [9040] NTLM
System.Net Information: 0 : [9040] TSSSP
System.Net Information: 0 : [9040] pku2u
System.Net Information: 0 : [9040] Schannel
System.Net Information: 0 : [9040] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [9040] LiveSSP
System.Net Information: 0 : [9040] WDigest
System.Net Information: 0 : [9040] CREDSSP
System.Net Information: 0 : [9040] SecureChannel#11159819 - Attempting to restart the session using the user-provided certificate: [Version]
不确定为什么要查找私钥:
System.Net Information: 0 : [9040] SecureChannel#11159819 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [9040] SecureChannel#11159819 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [9040] SecureChannel#11159819 - Locating the private key for the certificate: [Version]
在日志中的这一点上,我看到证书已被交换。不幸的是,钢丝鲨没有证实这一点......
现在我的程序验证服务证书并开始处理
System.Net Information: 0 : [9040] SecureChannel#11159819 - Remote certificate was verified as valid by the user.
System.Net Information: 0 : [9040] ProcessAuthentication(Protocol=Ssl3, Cipher=Rc4 128 bit strength, Hash=Sha1 160 bit strength, Key Exchange=RsaKeyX 2048 bit strength).
然后我看到交换了一些加密数据并发送了我的清除缓存命令
我收到来自服务的加密响应,但该消息指示出现故障。我认为这是因为服务不接受身份验证
System.Net Error: 0 : [9040] Exception in HttpWebRequest#46890055::GetResponse - The remote server returned an error: (500) Internal Server Error..
这是我在wireshark中使用的过滤器(两个IP都是不是我的服务)
(ip.src == xxx.xxx.xxx.xx or ip.dst == xxx.xxx.xxx.xx) and ssl.handshake
另外,我使用的证书没有私钥。我认为我不需要 TLS 文档中的任何一个。
所以我的问题是为什么我在运行程序时在wireshark中看不到Client Hello/Server Hello,或者我应该如何配置客户端绑定来启动客户端hello?
(我标记 wcf 是因为我认为 wcf 专业人员可能知道我的问题的答案。我的解决方案将独立于 wcf,因为我无法控制服务绑定)
【问题讨论】: