基于 SSL 的 WCF 服务无法为具有权限“test-service.hostname.com”的 SSL/TLS 建立安全通道

Posted 2023-05-07

【中文标题】基于 SSL 的 WCF 服务无法为具有权限“test-service.hostname.com”的 SSL/TLS 建立安全通道

【英文标题】：WCF Service over SSL Could not establish secure channel for SSL/TLS with authority 'test-service.hostname.com'

【发布时间】：2015-04-05 05:31:53

【问题描述】：

我遇到了问题。我们正在尝试通过所需的 SSL 将客户端证书附加到 WCF 服务。当我尝试通过浏览器导航到该服务时，它会显示“您已创建服务页面”，但前提是我附上了证书，所以我不认为这是 IIS 问题。

我经历了很多堆栈溢出问题，我认为每次我都会取得一点进步。但是对于我的生活，我无法摆脱这个问题。我添加了日志记录，这是我看到的错误：

System.Net Information: 0 : [12444] SecureChannel#15775260 - Certificate 

is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package =



Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [8000] Socket#13431269::Dispose()
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.ServiceModel Error: 131075 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/Application.TestHarness.Blah-1-130676061695261461</AppDomain><Exception><ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Could not establish secure channel for SSL/TLS with authority 'test-bolt.homesite.com'.</Message><StackTrace>   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp;amp; msgData, Int32 type)
   at Application.TestHarness.IntegrationService.QuickQuote()

服务配置：

<system.serviceModel>
<behaviors>
  <serviceBehaviors>
    <behavior name="WebBehavior">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<services>
  <service name="Service.Namwe" behaviorConfiguration="WebBehavior">
    <endpoint address=""
              binding="wsHttpBinding"
              bindingConfiguration="transportSecurity"
              contract="Service.IContract"/>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
  </service>
</services>
<bindings>
  <wsHttpBinding>
    <binding name="transportSecurity">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

客户端配置：

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="transportSecurity">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<behaviors>
  <endpointBehaviors>
    <behavior name ="defaultClientCertificate">
      <clientCredentials>
        <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="hostname.com"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<client>
  <endpoint name="boltService" behaviorConfiguration="defaultClientCertificate"
            address="https://hostname.com/Service/Integration.svc"
            binding="wsHttpBinding"
            bindingConfiguration="transportSecurity"
            contract="ServiceRef.IServiceContract" />
</client>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

任何建议将不胜感激。

【问题讨论】：

只是为了验证一下，当您打开证书管理单元时，您会在个人商店中看到本地计算机下的证书，其名称与配置的名称相同？

是的，我确实在 localmachine 上的个人下看到了它，并且在查看证书时它已经过身份验证（购买了真正的证书，所以我没有创建它）

证书增强密钥用法是否设置为客户端身份验证？

既是客户端认证又是服务器认证

您从服务器机器获得的请求状态是什么？是403吗？还有子状态吗？

【参考方案1】：

我弄清楚我的问题是什么。运行服务的应用程序池无权访问证书。我假设因为我将它卡在 IIS 中，所以所有应用程序池都可以访问（不是这种情况）。万一有人发现这个并且有一个类似的问题，我最终发现并解决了它。 https://msdn.microsoft.com/en-us/library/aa702621.aspx 如果您更喜欢 GUI 而不是命令行工具，您也可以在 MMC 中执行此操作。

【讨论】：

FFS。浪费了两天时间试图弄清楚那个被上帝遗忘的信息试图暗示什么。重建、重新发布、需要新证书等，三次。然后，将 AppPool 标识更改为 Network Service 和 poof，完成。

【参考方案2】：

我有同样的问题，并用这段代码解决了问题；

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

或者试试这个代码

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

【参考方案3】：

在管理员模式下运行 Visual Studio 为我解决了这个问题。