在我的WCF自托管WebService使用相互证书验证客户端,我设置CertificateValidationMode = PeerTrust但它似乎被忽略,因为我仍然可以执行某些客户端的方法,我删除了TrustedPeople服务器存储的相应证书.

继承人主持人的例子：

  static void Main()
    {
        var httpsUri = new Uri("https://192.168.0.57:xxx/HelloServer");
        var binding = new WSHttpBinding
        {
            Security =
            {
                Mode = SecurityMode.Transport,
                Transport = {ClientCredentialType = HttpClientCredentialType.Certificate}
        };         

        var host = new ServiceHost(typeof(HelloWorld), httpsUri);

        //This line is not working
        host.Credentials.ClientCertificate.Authentication.CertificateValidationMode =X509CertificateValidationMode.PeerTrust;

        host.AddServiceEndpoint(typeof(IHelloWorld), binding, string.Empty, httpsUri);

        host.Credentials.ServiceCertificate.SetCertificate(
            StoreLocation.LocalMachine,
            StoreName.My,
            X509FindType.FindBySubjectName,
            "server.com");

        // Open the service.
        host.Open();
        Console.WriteLine("Listening on {0}...", httpsUri);
        Console.ReadLine();

        // Close the service.
        host.Close();
    }

客户端应用：

 static void Main(string[] args)
    {
        try
        {
            var c = new HelloWorld.HelloWorldClient();
            ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
            c.ClientCredentials.ClientCertificate.SetCertificate(
              StoreLocation.LocalMachine,
              StoreName.My,
              X509FindType.FindBySubjectName,
              "client.com");

            Console.WriteLine(c.GetIp());
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
        Console.ReadKey();           
    }

我使用RootCA证书生成server.com和client.com.此RootCA证书在客户端和服务器的受信任根存储上进行.
问题是,如果我的client.com证书不在服务器的TrustedPeople存储中,我不应该执行GetIp()方法,对吧？但我执行它没有任何问题.

问题是,在这种情况下,如何验证客户端证书将其公钥置于服务器的TrustedPeople上？

ps：在带有客户端证书的this MSDN运输安全性文章中,有一句话说客户端必须信任服务器的证书,服务器必须信任客户端的证书.但即使客户端证书不在服务器TrustedPeople存储中,我也可以从客户端执行web方法.

最佳答案 我的建议是使用
custom validation.这样您就可以设置一些断点并观察验证,并根据整个验证过程中可用的数据查看您可以提出的其他验证选项.

首先确保您的绑定需要Message Client Credentials证书.如果您仅使用证书进行传输,则我的测试中的客户端不会进行验证.仅这一点可能会解决您的问题.

binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType =
        MessageCredentialType.Certificate;

要设置自定义验证器,请遵循其余部分.

更换：

host.Credentials.ClientCertificate.Authentication.CertificateValidationMode 
        =X509CertificateValidationMode.PeerTrust;

附：

host.Credentials.ClientCertificate.Authentication.CertificateValidationMode 
        =X509CertificateValidationMode.Custom;

host.Credentials.ClientCertificate.Authentication.CustomCertificateValidator =
        new IssuerNameCertValidator("CN=client.com");

然后添加此项以创建自定义验证器并根据需要进行调整(此验证基于Issuer验证)：

public class IssuerNameCertValidator : X509CertificateValidator
{
    string allowedIssuerName;

    public IssuerNameCertValidator(string allowedIssuerName)
    {
        if (allowedIssuerName == null)
        {
            throw new ArgumentNullException("allowedIssuerName");
        }

        this.allowedIssuerName = allowedIssuerName;
    }

    public override void Validate(X509Certificate2 certificate)
    {
        // Check that there is a certificate.
        if (certificate == null)
        {
            throw new ArgumentNullException("certificate");
        }

        // Check that the certificate issuer matches the configured issuer.
        if (allowedIssuerName != certificate.IssuerName.Name)
        {
            throw new SecurityTokenValidationException
              ("Certificate was not issued by a trusted issuer");
        }
    }
}