c# - WCF TLS 向后兼容性

问题描述

我有一个 WCF 服务，它当前接受具有 MD5 加密（与 TLS 1.1 兼容）的证书，以及一个能够使用上述证书使用该服务的客户端。

但是，我们希望使用新证书 (SHA-1 encrpytion) 升级到 TLS1.2，并且能够接受这两个证书以实现向后兼容性。

有什么办法可以做到这一点？

WCF 服务在配置文件中配置如下：

<system.serviceModel>
<services>
  <service name="MyService" behaviorConfiguration="ServiceBehavior">
    <host>
      <baseAddresses>
        <add baseAddress="net.Tcp://localhost:8004" />
        <add baseAddress="http://localhost:8006" />
      </baseAddresses>
    </host>
    <!-- Service Endpoints -->
    <endpoint address="SomeService" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IService">
      <identity>
        <dns value="ServerCertificate" />
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>
<client>
  <endpoint address="net.Tcp://localhost:8001/AnotherService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IService" name="IRACService">
    <identity>
      <dns value="ServerCertificate" />
    </identity>
  </endpoint>
</client>
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="false" />
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <serviceCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <clientCertificate>
          <certificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
          <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
        </clientCertificate>
      </serviceCredentials>
      <serviceThrottling maxConcurrentCalls="1000" maxConcurrentInstances="1000" maxConcurrentSessions="1000" />
      <dataContractSerializer maxItemsInObjectGraph="2147483647" />
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="ClientBehavior">
      <clientCredentials>
        <clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <serviceCertificate>
          <defaultCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
          <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<bindings>
  <netTcpBinding>
    <binding name="netTcpBindingConf" closeTimeout="00:11:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="1000" openTimeout="00:20:00">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <reliableSession ordered="true" inactivityTimeout="00:15:00" />
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="Certificate" algorithmSuite="Default" />
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>

客户端在配置文件中配置如下：

  <system.serviceModel>
<bindings>
  <netTcpBinding>
    <binding name="bindingConfigName" closeTimeout="00:10:00" openTimeout="00:40:00" receiveTimeout="00:32:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00" />
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="Certificate" algorithmSuite="Default" />
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>
<client>
  <endpoint address="net.Tcp://localhost:8004/SomeService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="bindingConfigName" contract="IService" name="ISomeService">
    <identity>
      <dns value="ServerCertificate" />
    </identity>
  </endpoint>
  <endpoint address="net.Tcp://localhost:8004/SomeService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="bindingConfigName" contract="IService" name="ISomeService2">
    <identity>
      <dns value="ServerCertificate" />
    </identity>
  </endpoint>
</client>
<behaviors>
  <endpointBehaviors>
    <behavior name="ClientBehavior">
      <clientCredentials>
        <clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <serviceCertificate>
          <defaultCertificate findValue="ServerCertificate" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
          <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
        </serviceCertificate>
      </clientCredentials>
      <dataContractSerializer maxItemsInObjectGraph="2147483647" />
    </behavior>
  </endpointBehaviors>
</behaviors>

标签： c#wcf