问题
I've got a problem consuming a Soap Web Service(w/att.) and MTOM that requires client certificate authentication (mutual?).
Before writing what i've already tried i show you what i did in order to receive a client certificate:
- I've generated a RSA key with
openssl command openssl genrssa -out mykey.key 2048 - With this key i've generated a CSR:
openssl req -new -key mykey.key -out mycsr.csr - I've sent this CSR to the web service owner in order to receive a client certificate, and they gave me a signed certificate: certificate.cer
Now that i've got my client certificate i've added it in my certificate store under Trusted Root Certification Authority.
Now the code:
First of all i created a Test Project in Visual Studio and i added a Service Reference using the WSDL of the service.
Then i wrote few lines of code:
' Setting TLS 1.2 protocol '
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
ServicePointManager.ServerCertificateValidationCallback = Function(sender1, certificate, chain, sslPolicyErrors)
Return True
End Function
'Creating endpoint and binding'
Dim endpoint As EndpointAddress = New EndpointAddress("https://myWebService.it/service-page")
Dim sslBinding As BasicHttpBinding = New BasicHttpBinding(BasicHttpSecurityMode.Transport)
'Setting CredentialType = Certificate'
sslBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate
'Getting the client certificate from the store'
Dim coll = New X509Store(StoreName.My, StoreLocation.CurrentUser)
coll.Open(OpenFlags.ReadOnly)
Dim cert = coll.Certificates.Find(X509FindType.FindByThumbprint, "76DB1454D4B25ACEAF2BAE465C310E3119278792", True)
'Creating the service'
Dim svc As SdITrasmissioneFileClient = New SdITrasmissioneFileClient(sslBinding, endpoint)
'Setting the certificate inside client credentials'
svc.ClientCredentials.ClientCertificate.Certificate = cert(0)
svc.Open()
'Calling the service'
Dim resp As RispostaEsito_Type = svc.Esito(New Esito_Type() With {.IDFile = "4454555"})
svc.Close()
It looks very simple to me, but when i execute my code i get a
System.ServiceModel.Security.MessageSecurityException: 'The HTTP request was forbidden with client authentication scheme 'Anonymous'.'
Internal Exception: WebException: Remote Server Error: (403) Forbidden
Next i analyzed traffic using Fiddler and Wireshark and i discovered that, during TLS handshake between client and server, the client doesn't send the certificate to the server.
Now i don't understand the reason why, even if i added the certificate to client credentials, it is not sent to the destination.
回答1:
After a lot of readings, i discovered what i was missing:
- The Client Certificate .cer doesn't contain the private key!
What i did:
I converted .cer file in PEM format with the following command:
openssl x509 -inform der -in ClientCert.cer -out ClientCert.pem
I created a .pfx certificate with my private key:
openssl pkcs12 -export -in ClientCert.pem -inkey mykey.key -out ClientCert.pfx
Then installing .pfx certificate everything works like a charm.
I hope somebody find it usefull.
来源:https://stackoverflow.com/questions/46559467/503-error-consuming-thirdy-part-soap-webservice-using-tls-1-2-and-client-certifi