.net 如何在 C# 中通过 HTTPS 使用 SOAP 服务?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4810070/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to consume a SOAP service over HTTPS in C#?
提问by Tommaso
Webservice administrator gave me WSDL, two certificates and a private key:
Webservice 管理员给了我 WSDL、两个证书和一个私钥:
service.wsdl
ssl.cer
auth_cert.pem
auth_private_key.pem
In Visual Studio 2010I added a Web Reference (Service Reference didn't work) from the WSDL. Then I tried to use it as it was an http soap client:
在Visual Studio 2010 中,我从 WSDL 添加了一个 Web 引用(服务引用不起作用)。然后我尝试使用它,因为它是一个 http soap 客户端:
MySoapClient client = new MySoapClient();
client.Operation();
and I obtain this stack trace:
我获得了这个堆栈跟踪:
Unhandled Exception: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
What I have to do with certificates and private key?
I can't find any tutorial online nor books that covers this matter. Any hint?
我与证书和私钥有什么关系?
我在网上找不到任何教程,也找不到涵盖此问题的书籍。任何提示?
Update
更新
Accessing the endpoint with Firefox:
使用Firefox访问端点:
SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)
SSL 对等方无法验证您的证书。(错误代码:ssl_error_bad_cert_alert)
回答by UserControl
Webservice administrator gave me WSDL, two certificates and a private key
Webservice 管理员给了我 WSDL、两个证书和一个私钥
If you only consume the service the private key is not required. I can guess you want 2-way authentication with https. If this is the case here is how it works:
如果您只使用该服务,则不需要私钥。我可以猜到您想要使用 https 进行 2 向身份验证。如果是这种情况,它是如何工作的:
On the server the admin should install the cert with a private key to enable SSL (the key is used during SSL handshake). Its public key is used by your client to check if the cert is valid and to authenticate the service, so on the client side you somehow need to check it. If both machines are in Windows domain this is easy (it can be configured to use domain Certification Authority). If not, you need all the certs that were used to sign the original server cert to be installed on the client machine (in Trusted Root CA storage).
在服务器上,管理员应该使用私钥安装证书以启用 SSL(密钥在 SSL 握手期间使用)。您的客户端使用它的公钥来检查证书是否有效并验证服务,因此在客户端您需要以某种方式检查它。如果两台机器都在 Windows 域中,这很容易(可以将其配置为使用域证书颁发机构)。如果没有,您需要将用于签署原始服务器证书的所有证书安装在客户端计算机上(在受信任的根 CA 存储中)。
The second part is client authentication to the server. You install the client cert (it contains public key) to Personal storage and configure WCF proxy to use it:
第二部分是客户端对服务器的身份验证。您将客户端证书(它包含公钥)安装到个人存储并配置 WCF 代理以使用它:
<behaviors>
<endpointBehaviors>
<behavior name="certSecureBehavior">
<clientCredentials>
<clientCertificate findValue="client-CN" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
<serviceCertificate>
<defaultCertificate findValue="server-CN" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="TrustedPeople"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Configure you endpoint to use this behavior. A few notes:
配置您的端点以使用此行为。一些注意事项:
- client-CN is a name the client cert is generated for (not so important)
- server-CN is a name the server cert is generated for (usually the server DNS name)
- client-CN 是生成客户端证书的名称(不那么重要)
- server-CN 是为其生成服务器证书的名称(通常是服务器 DNS 名称)
This is very complex topic and always require lot of time to research. Check this article http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspxHope this help.
这是一个非常复杂的话题,总是需要大量时间来研究。检查这篇文章http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx希望这有帮助。
回答by Brian Lyttle
The admin seems to have given you the files used to setup SSL on the server. You should be be able to run service.wsdl through WSDL.exe to generate a C# proxy, which is what VS does when you add a Web Reference. I don't think this is your problem though. You are seeing a network level issue since the exception is a System.Net.WebException.
管理员似乎给了您用于在服务器上设置 SSL 的文件。您应该可以通过 WSDL.exe 运行 service.wsdl 来生成 C# 代理,这就是 VS 添加 Web 引用时所做的。我不认为这是你的问题。由于异常是 System.Net.WebException,因此您看到了网络级别的问题。
The other files look like they are what the admin was using to add SSL to the server. By sharing the private key he may have compromised the security if any SSL-enabled services using this key. You should look for any service end points in the WSDL and try to access those in your browser over SSL (https://). If you cannot then there is a server configuration issue. Correct the SSL configuration on the server and your WSDL should work, or at least you''ll have a new issue.
其他文件看起来像是管理员用来向服务器添加 SSL 的文件。如果任何启用 SSL 的服务使用此密钥,则通过共享私钥,他可能会损害安全性。您应该在 WSDL 中查找任何服务端点,并尝试通过 SSL (https://) 在浏览器中访问这些端点。如果不能,则是服务器配置问题。更正服务器上的 SSL 配置,您的 WSDL 应该可以工作,或者至少您会遇到新问题。
