【1】错误信息:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'computer:9001'.
不能和授权计算机为 SSL/TLS 安全通道建立信任关系.
WCF中文论坛问题连接: http://social.microsoft.com/Forums/zh-CN/wcfzhchs/thread/1591a00d-d431-4ad8-bbd5-34950c39d563
错误截图:
【2】配置信息:
2.1服务端配置:
服务端设置证书,不采用客户端安全认证。安全方式是传输安全。服务端配置信息如下:
< service behaviorConfiguration = " WCFService.WCFServiceBehavior " name = " WCFService.WCFService " >
< endpoint
address = " WCFService "
binding = " wsHttpBinding "
bindingConfiguration = " BasicWithTransport "
contract = " WCFService.IWCFService " >
</ endpoint >
< endpoint address = " mex " binding = " mexHttpsBinding " contract = " IMetadataExchange " />
< host >
< baseAddresses >
< add baseAddress = " https://computer:9001/ " />
</ baseAddresses >
</ host >
</ service >
</ services >
< behaviors >
< serviceBehaviors >
< behavior name = " WCFService.WCFServiceBehavior " >
< serviceMetadata httpsGetEnabled = " true " />
< serviceDebug includeExceptionDetailInFaults = " false " />
< serviceCredentials >
< serviceCertificate storeName = " My " x509FindType = " FindBySubjectName " findValue = " WCFHTTPS " storeLocation = " LocalMachine " />
</ serviceCredentials >
</ behavior >
</ serviceBehaviors >
</ behaviors >
< bindings >
< wsHttpBinding >
< binding name = " BasicWithTransport " >
< security mode = " Transport " >
< transport clientCredentialType = " None " />
</ security >
</ binding >
</ wsHttpBinding >
</ bindings >
客户端添加服务引用后,直接实例化类调用WCF服务,结果就出现不能为SSL建立信任关系错误。
WCFClient.ClientProxy.WCFServiceClient wcfServiceProxyHttp = new WCFClient.ClientProxy.WCFServiceClient( " WSHttpBinding_IWCFService " );
// 通过代理调用SayHello服务
string sName = " Frank Xu Lei WSHttpBinding " ;
string sResult = string .Empty;
sResult = wcfServiceProxyHttp.SayHello(sName);
【3】问题分析:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'computer:9001'.
不能和授权计算机为 SSL/TLS 安全通道建立信任关系.
实际原因和证书有很大关系,这里证书是跟证书颁发机构信任的证书,在客户端和服务端建立安全会话的时候,无法信任此证书。
另外一个可能的原因是你其他域里也使用此一个证,这个也有可能导致错误。
【4】解决办法:
3.1:定义一个类,来对远程X.509证书的验证,进行处理,返回为true.我们要自己定义一个类,然后在客户单调用WCF服务之前,执行一次即可。代码如下:
{
/// <summary>
/// Sets the cert policy.
/// </summary>
public static void SetCertificatePolicy()
{
ServicePointManager.ServerCertificateValidationCallback
+= RemoteCertificateValidate;
}
/// <summary>
/// Remotes the certificate validate.
/// </summary>
private static bool RemoteCertificateValidate(
object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors error)
{
// trust any certificate!!!
System.Console.WriteLine( " Warning, trust any certificate " );
return true ;
}
}
你要在调用操作点先调用这个方法: Util.SetCertificatePolicy();
sResult = wcfServiceProxyHttp.SayHello(sName);
3.2:就是需要你在客户端和服务端各安装一个跟证书授权机构。然后制作一受信任的根证书机构的证书。可以参考这个:
http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20Tos
【5】总结:
对Windows Server服务器产品开发部署WCF服务的时候才采用的第二种机制。需要授权的证书机构颁发的证书。对于普通的学习第一种方式就可以了。
WCF安全开发编程实践,是一个比较复杂的过程,除了需要掌握基本的安全知识以外,要需要熟练运用各种证书制作,安装、SSL证书httpcfg.配置等工具。在Windows Server2003,Vitsa系统下差别还很大,普通的XP系统下开发学习更是需要安装一写服务,而且调试过程也比较繁琐,一旦有点配置不对,就会出现异常。需要耐心去学习。
参考资料:
1.http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/bb0fc194-5bf3-4c24-94bb-c86f94c76bc2
2.http://www.codemeit.com/wcf/wcf-could-not-establish-trust-relationship-for-the-ssltls-secure-channel-with-authority.html
【老徐的博客】
【作 者】:Frank Xu Lei
【地 址】:http://www.cnblogs.com/frank_xl/
【中文论坛】:微软WCF中文技术论坛
【英文论坛】:微软WCF英文技术论坛