为了测试客户端是否进行了一种或两种方式的身份验证,我已经从受信任的人那里删除了服务器证书,并且通信仍然没有问题,所以只有一种方式进行身份验证。我用小提琴检查了客户端,服务器正在传递它的证书。
在服务器端,证书绑定到 IIS 上的地址和端口,因此没有明确说明。
客户端在我本地机器上的虚拟机和服务器上运行。
我已经使用 Keystore Explorer 制作了证书,并且 CA 被放置在两者的受信任根目录中。服务器证书(.pfx 文件)放置在服务器上的个人中,客户端证书(.cer 文件)放置在服务器上受信任的人中,反之亦然这两个在客户端上。
服务员:
string address = "https://192.168.0.30:8003/Service/";
Uri uri = new Uri(address);
IService service = new MessageService();
ServiceHost host = new ServiceHost(service, uri);
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
host.AddServiceEndpoint(typeof(IService), binding, address);
host.Open();
客户:
var address = new EndpointAddress(new Uri("https://192.168.0.30:8003/Service/"));
BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var channel = new ChannelFactory<IService>(binding, address);
channel.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
channel.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName,
"192.168.0.39");
var proxy = channel.CreateChannel();
发现许多不同的相互矛盾的答案,关于服务是双向还是单向意味着什么,理论上完全清楚但在编程上不是那么多,从this官方来源我得出结论,消息安全模式是双向的,并且传输一个one way authentication mode,后来发现还有人用transport security mode做two way authentication