如何告诉WCF跳过证书验证？

Question

尝试在Silverlight应用程序中对HTTPS端点进行Web服务调用会导致此错误:"无法找到与绑定WSHttpBinding的端点的方案https匹配的基址.已注册的基址方案为[http]"

与此处发布的问题相同:

http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4c19271a-f5e6-4659-9e06-b556dbdcaf82/

因此,其中一个建议是:"另一个问题可能是证书名称和机器名称不一致,这导致WCF适合.如果是这种情况,您可以告诉WCF跳过验证证书."

好吧,我确实收到了证书错误,因为这只是一个演示服务器.

以下是我设置客户端的方法:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
_ws = new AnnotationService.AnnotationClient(binding, new EndpointAddress(myAddress));

如何告诉WCF跳过验证？

Answer 1

您可以通过允许 Web服务器,Silverlight应用程序的主机和远程WCF服务之间的跨域通信,在Silverlight中实现此目的.

在这种情况下,您需要将clientaccesspolicy.xml文件放在托管WCF服务的域的根目录下:

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="SOAPAction">
        <domain uri="http://*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

以下是MSDN对此方法的陈述:

要允许从通过HTTP应用程序托管的任何Silverlight控件访问HTTPS服务,您需要将<domain uri ="http:// "/>*元素放在<allow-from>元素中.

我自己没试过,但它值得一试.另外,请务必查看以下资源以获取更多详细信息:

• 跨域边界提供服务
• 在Silverlight客户端中配置Web服务使用情况

在.NET中禁用X.509证书验证

对于.NET应用程序,此示例WCF配置将禁用证书是否受信任以及它是否仍在客户端上有效:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="None"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

另一种解决方案是提供自定义逻辑来验证服务提供的X.509证书.在这种情况下,您将必须根据以下内容修改配置文件:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="Custom"
                                    customCertificateValidatorType="MyCertificateValidator, Client"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

然后创建一个派生自X509CertificateValidator的类来实现自定义验证逻辑.

public class MyCertificateValidator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 certificate)
    {
        // Add custom validation logic
        // Throw an exception to fail validation
    }
}

与往常一样,您可以在MSDN上找到更详细的示例.