开发者

SSL Server Cert Present One name for WCF?

I have a self-hosted WCF service with TCP binding, now trying to layer on SSL.

The cert I got from the CA has two values for "Subject Alternative Name":

www.mysite.com
mysite.com

I only want to present "mysite.com" to WCF clients, somehow this www.mysite.com (which the CA added, I did not ask for www.mysite.com).

I am using the below code server-side. What do I have to tweak to "hide" the www.mysite.com address?

svc.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.CurrentUser , StoreName.My , X509FindType.FindBySubjectName , "mysite.com" );

So right now when the client connects, I get

"Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'mysite.com' but the remote endpoint provided DNS claim 'www.mysite.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'www.mysite.com' as the Identity property of EndpointAddress when creating channe开发者_C百科l proxy. "

I don't want the client to know anything about www.mysite.com. I only want them to use what the serve presents, and I want the sever to only present mysite.com.


Why do you want to hide it? A certificate with SAN alternatives means it is value for all of those FQDNs, so it will work on both www.mysite.com and mysite.com.

Additionally from the looks of your call to SetCertificate the subject name of the certificate is what you want, mysite.com and that's what's checked first.

The full text of the error message comes in the form of

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'X' but the remote endpoint provided DNS claim 'Y'

Now this has nothing to do with the certificate, but the host that IIS is configured for, or, in the case of self hosting, the host/machine Windows is configured to be. You can override the host that WCF will use by adding a new configuration setting for the endpoint;

<identity>
    <dns value="mysite.com"/>
</identity>

or setting it in code when you create the endpoint.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜