I hava a self-hosted wcf service which is configured for ssl.
The certifiacate is bound to the port of the service by commandline,
using the 'netsh' command, e.g.:
netsh http add sslcert ipport=0.0.0.0:8000 certhash=XYZ appid={"ABC"}
This is described here:
http://msdn.microsoft.com/de-de/library/ms733791(v=vs.110).aspx.
It works as expeced.
Now I just discovered that there is a SetCertificate-Method:
http://msdn.microsoft.com/de-de/library/system.servicemodel.description.servicecredentials.servicecertificate(v=vs.110).aspx
So, I thought I can make use of this method, and do not need the netsh comamnd
for binding the certifiacte anymore.
But it does not work? SetCertificate seems to have no effect?
So what else is it used for?
Am I missing something?
I think I can answer my own question. Found the answer here:
http://msdn.microsoft.com/de-de/library/ms789011(v=vs.110).aspx
If the transport is HTTP (using the WSHttpBinding), SSL over HTTP provides the transport-level security. In that case, you must configure the computer hosting the service with an SSL certificate bound to a port, as shown later in this topic.
If the transport is TCP (using the NetTcpBinding), by default the transport-level security provided is Windows security, or SSL over TCP. When using SSL over TCP, you must specify the certificate using the SetCertificate method, as shown later in this topic.
So the SetCertificate method is only used when Transport is TCP. In my case it is Http, so I have to bind the Certificate to the port manually as I did.
Related
I have to build a client-server application that uses websocket secure for communication between the parties. In order to build it, I used this repo as a skeleton:
https://github.com/radu-matei/websocket-manager
This also comes to the following blog post:
https://radu-matei.com/blog/aspnet-core-websockets-middleware/
I managed to create the ws communication. However, I have to create a wss communication and I can't seem to figure out how to do this. After changing ws:// to wss:// and http to https, if I access localhost the connection will be secure. But if I try to access 127.0.0.1, the communication won't be secure.
I understand that I should use self-signed certificates, but I don't know how to integrate them in the code present in the first link. Can you help?
I have a standard n-tier application (.Net 4.7.2) with a console server and a WinForms application both running on the same machine. The client and server communicate via WCF.
I get a CommunicationException on the client when I attempt to communicate with the server if I use any port other than 443 in my address binding. not specifying a port or explicitly specifying 443 works without an issue.
The error message is;
An error occurred while making the HTTP request to
https://localhost:44333/SecurityTokenService/issue/wstrust/mixed/anonymous.
This could be due to the fact that the server certificate is not
configured properly with HTTP.SYS in the HTTPS case. This could also
be caused by a mismatch of the security binding between the client and
the server.
here is my client binding for reference
<endpoint
address="https://localhost:44333/SecurityTokenService/issue/wstrust/mixed/anonymous"
binding="customBinding"
bindingConfiguration="MySecurityTokenEndpointBinding"
contract="System.ServiceModel.Security.IWSTrustChannelContract"
name="SecretTokenAuthenticationEndPoint" />
UPDATE: I have continued to investigate the issue myself and enabled WCF tracing. I can see from the trace logs the warning 'The Security Protocol cannot secure the outgoing message'
Make sure to use the correct way to call the wcf service, such as adding service reference, channel factory, etc. After reading your question, I think it is very likely as the error message says: 'This could also be caused by a mismatch of the security binding between the client and the server.'
You can use the following code to specify the TLS version:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;
TLS1.3 is the latest TLS standard protocol, which is faster and has higher security.
Here is the reference: Transport Layer Security (TLS) best practices with the .NET Framework
The solution for me was to bind the SSL certificate to the IP Address and Port that my service was being exposed on. I used the following command from a command prompt;
netsh http add sslcert ipport={ipAddress}:{port} certhash={CertificateThumbprint} appid={appId}
Some points to note
If the above command fails; ensure you have the private key imported and not just the public certificate
I don't know if the appId is an arbitrary Guid; I used the Guid from my application shell project (a console application); It's the Guid that exposes your application to 'com'
Hopefully, this helps somebody in the future
I have an app that consists of a fat client and extensions. The extensions can load html and communicate with the app using http request. Therefor my app listens on localhost to http requests.
To enable the app running on a terminal server environment, it cannot (as far as i see) use a fixed portnumber (because all instances will try to claim the same portnumber). So, on startup, it tries to open a HttpListener on random ports, untill it succeeds.
I now want to enable the pages to be loaded using httpS. Using Netsh/httpcfg to bind a certificate to a fixed port is useless, because of the random port idea. I know it is actually possible with WCF to add a certificate in code. (setting the certificate on the Credentials.ServiceCertificate.Certificate property and setting the binding correct)
Is this possible with a HttpListener?
I have the certificate and all setup - the question is only to dynamicly use that certificate on a non-fixed portnumber.
(And if it is, is it also possible to do the same with Microsoft.Owin.Hosting.WebApp.Start(...))
I have written a winforms client, that connects to a Windows service establishing a connection with XSockets.Net. This is working fine for a direct connection to the internet.
But when there is a proxy server, it will fail.
As I checked the XSockets API I have not found any settings, that allows me to use a proxy server.
Also for the websockets protocol I have not found a sufficient answer.
Any ideas?
Use WSS:// for connection, that is the equivalent to HTTPS in WebSocket.
The WebSocket protocol handshake sends the HTTP headers "Upgrade:websocket" and "Connection:Upgrade", meaning that the proxy will probably remove the "Upgrade" header because is set as a "Connection" header. By using a secure protocol, the proxy won't be able of intercept the request and will just let it pass.
Cheers.
BACKGROUND INFORMATION: PROGRAM WRITTEN IN C#
I'm working on a program right now that connects through a SOCKS5 proxy (coded from scratch. works well enough.), but I'd also like to (through that proxy) communicate to a DESTINATION through SSL.
I've done some research, googled many a time, and have come to the conclusion that SslStream won't be ideal for my situation. I NEED to first authenticate with the SSL through the proxy, and THEN start sending encrypted packets, once I receive the key.
QUESTIONS:
How can I encrypt my packets with TLS in C#? For some reason I can't at all figure it out. I'm stuck! :(
What is the raw syntax required to even REQUEST said SSL certificate?
You might want to have a look at the TLS implementation in the open source Bouncy Castle cryptography library. If it won't work as-is, you can hack it into doing what you need. If you want to deep-dive the specification itself, you'll find it as IETF RFC 5246.
As you've probably discovered, though, doing any portion of the connection setup work yourself leaves you with no way to use the WebRequest family of classes to handle the HTTP portion of the protocol work. That leaves you with two options I can see: do the HTTP yourself as well (I found a trivial example HTTP client floating around the net), or change the current user proxy server settings
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="socks=socks.example.net:1080"
then send the request normally using the WebRequest classes.
I'd like to offer you SSLBlackbox package of our SecureBlackbox product. Among numerous other components it has a simple SSL client component that is socket-based, can connect via different proxies (SOCKS, HTTPS CONNECT) and supports all features of SSL/TLS up to TLS 1.2. If you need more control, you can use any custom socket, and not just built-in socket support. This lets you use the components for securing traffic that goes not via sockets at all (pigeon mail can be secured this way as well).
An HTTPS client is available and included into SSLBlackbox as well.