I have a WCF ServiceHost secured with an X509Certificate
Credentials.ServiceCertificate.Certificate = certificate;
and a custom client certificate validator:
Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
Credentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator();
The InstanceContextMode and ConcurrencyMode are their default values, PerSession and Single.
My endpoint uses Transport security and requires a client certificate:
BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
AddServiceEndpoint(typeof(...), binding, endpoint);
I want (and expect) the custom client certificate validator to be called once, during the SSL handshake upon a new connection, but it's being called on every message received.
Client-side WCF trace log shows significant traffic, including a 4 second delay when the very first message is sent, I assume that's the SSL handshake, cipher negotiation and key exchange, but I cannot see the bytes.
There is no corresponding delay when the second message is sent, a few seconds later, so I assume I have a secured session and the client's certificate is not being sent.
But the custom client certificate validator is still being called!
What the heck am I doing wrong?!
Now that we understand service instance behavior better, we decided to live with the behavior of the BasicHttpBinding binding.
We were hoping to log certificate expiration information for the certificates presented by our remote SSL clients, but we can't do that easily when the validator is called on every message. A shame really.
We see no easy way to change the binding at the service without changing the bindings at all the clients, as well.
I really like WCF but the way service instance behavior is affected by the choice of binding and security is not very well documented.