In my own WCF WebService hosting, which uses a mutual certificate to verify the client, I install it CertificateValidationMode = PeerTrust, but it seems ignored, since I can still execute methods with some client that I deleted the corresponding TrustedPeopleserver repository certificate .
Here is an example host:
static void Main()
{
var httpsUri = new Uri("https://192.168.0.57:xxx/HelloServer");
var binding = new WSHttpBinding
{
Security =
{
Mode = SecurityMode.Transport,
Transport = {ClientCredentialType = HttpClientCredentialType.Certificate}
};
var host = new ServiceHost(typeof(HelloWorld), httpsUri);
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode =X509CertificateValidationMode.PeerTrust;
host.AddServiceEndpoint(typeof(IHelloWorld), binding, string.Empty, httpsUri);
host.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
"server.com");
host.Open();
Console.WriteLine("Listening on {0}...", httpsUri);
Console.ReadLine();
host.Close();
}
Client application:
static void Main(string[] args)
{
try
{
var c = new HelloWorld.HelloWorldClient();
ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
c.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
"client.com");
Console.WriteLine(c.GetIp());
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
Console.ReadKey();
}
I create server.com and client.com with a RootCA certificate . This RootCA certificate is installed in the trusted root store of the client and server. The question is that I should not execute the method GetIp()if my client.com certificate is not in the server’s TrustedPeople repository , right? But im runs it without problems.
, , TrustedPeople ?
ps: MSDN , theres , The server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server. web- TrustedPeople .