daohualiuxiang
/
dotnet
mirror of https://github.com/microsoft/dotnet.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Alicial/net472 wcfcompatdoc (#658) 

* Add WCF compat doc for bug#516393

* Minor updates to address review feedbacks

* Minor update to address review feedback

* updates to address Ron's review feedbacks

* Minor updates per Ron's review feedbacks
pull/676/head
Alicia Li 2018-03-14 12:48:09 -07:00 committed by Ron Petrusha
parent 5ea44eae98
commit 39028184d5
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Documentation/compatibility/WCF-Improved-WCF-chain-trust-certificate-validation-for-Net.Tcp-certificate-authentication.md 100644
View File

@ -0,0 +1,33 @@
## Improved WCF chain trust certificate validation for Net.Tcp certificate authentication
### Scope
Minor
### Version Introduced
4.7.2
### Source Analyzer Status
NotPlanned
### Change Description
.NET Framework 4.7.2 improves chain trust certificate validation when using certificate authentication with transport security with WCF. With this improvement, client certificates that are used to authenticate to a server must be configured for client authentication. Similarly server certificates that are for the authenticating a server must be configured for server authentication. With this change, if the root certificate is disabled, the certificate chain validation fails. The same change was also made to .NET Framework 3.5 and later versions via Windows security roll-up. You can find more information [here](https://support.microsoft.com/en-us/help/4055269/security-only-update-for-net-framework-3-5-1-4-5-2-4-6-4-6-1-4-6-2-4-7).
This change is on by default and can be turned off by a configuration setting.
### Recommended Action
- Validate if your server and client certification has the required EKU OID. If not, update your certification.
- Validate if your root certificate is invalid. If so, update the root certificate.
- How to opt out of the change:
If you can't update the certificate, you can work around the breaking change temporarily with the following configration setting, However, opting out of the change will leave your system vulnerable to the security issue.
```xml
<appSettings>
<add key="wcf:useLegacyCertificateUsagePolicy" value="true" />
</appSettings>
```
### Affected APIs
* Not detectable via API analysis
### Category
Runtime