I am running a WCF service that should only accept clients that can authenticate themselves using the ssl client certificate. As a security mode, I use transport security. The authentication process is required to run PeerTrust. Unfortunately, transport safety is not compatible with PeerTrust - this means that ChainTrust is always the preferred method. In this case, each client is trusted, which has a certificate signed by a certification authority, which is stored in my "Trusted CA Store". This is not the behavior I need.
I tried to fix this with a special certificate. It seems to work. I get a certificate callback and I can check if I trust the certificate or not.
My problem is that I am not sure of the state when the certificate is provided to the "verify" method in the user validator. Typically, SSL checks by providing a client certificate if the client has the corresponding private key. In other words, my problem is that I am not sure if the client with whom I communicate is the client that I consider.
<serviceBehaviour> <behavior name="sslbehaviour"> <serviceMetadata httpsGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true"/> <serviceThrottling maxConcurrentSessions="2000000000" maxConcurrentCalls="2000000000" maxConcurrentInstances="2000000000"/> <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="Custom" customCertificateValidatorType="Package.MyX509CertificateValidator, server"/> </clientCertificate> </serviceCredentials> </behavior> </serviceBehaviors>
Other approaches to obtaining PeerTrust client verification are also welcome.
Regards, Michael
source share