All -
I'm using C#'s WebClient class to gain access to a resource on a remote server via https. The resource I am interested in is a file on the remote server. I'm using the following call to gain access to the file:
WebClient client = new WebClient();
client.DownloadData("https://someuri/file.txt");
When calling the above code I get the an System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
I have manually visted the site via IE and added the cert. as a trusted issuer and can browse to the resource without an issue in IE. Does C# not use the standard windows certificate store ? or do I have to write my own CertificatePolicy?. I'd really like to use the built in authentication algorithms.
Thanks in advance.
In order to get this working properly you one can't just accept the the end certificate in the browser. You must use the cmd: mmc console to load certificates into the Machines trust store rather then just the users trust store.
Are you running this code through ASP.Net? If so, you may have to install the cert for the Local Computer, as the cert you installed for your login cant be used by ASP.net
Related
I have an application that can be downloaded from my website and run on user PC. This application doesn't do anything special and just allows the web page to access the scanner. It uses SignalR for communication.
Basically, I run SignalR server under WinForms application and have javascript client that tries to access it through http://localhost:8084/signalR.
Everything works fine when I use HTTP version of the web application, but fails, when I use HTTPS for my web application: Most of the browsers don't allow unsecured connections from a secure page.
So, I've created a self-signed certificate that is installed on user system during installation and it works fine for Chrome, IE and Opera, but fails for Firefox and Edge.
So I was thinking, is there a better way to access SignalR applications that are running on localhost from webpage under https?
There isn't a better way. You are correct in your understanding that "[m]ost of the browsers don't allow unsecured connections from a secure page". I believe there isn't a browser that will allow this. Therefore if you want to call out from a secured website, you must use a secured connection as well.
I don't know the issue you're experiencing with Edge, as I can confirm that it does work. Firefox will NOT trust a certificate in the cert store, even if it is a trusted root or has a trusted root certificate. You have to manually add an exception for this certificate. Details, or at least information that will let you find the correct method to do this, can be found here.
There are some things you have to do in order to make sure your certificate and configuration is correct. First, you have to have a well formed certificate with a public and private key and a well formed certificate authority cert with only its public key. By "well formed" I mean it must contain all information required by browsers for full trust, such as a Subject Alternative Name entry.
You can use OpenSSL to generate the CA, then use that to sign a certificate you will use for the SSL port. Export the CA's public key and the SSL certificate's public and private keys. Exporting the CA's private key is a MAJOR no no. That would allow third parties to create new certs from it and install them on your client's machine. The CA gets installed in the machine's Trusted Root Certification Authorities store. The SSL cert can go into the Personal/Certificates store.
Once you have these, you have to configure the URL/Port you will use for access and SSL using the netsh command line tool. Add a URLACL to allow the application to access the url and port (netsh.exe http add urlacl), and then assign the certificate to the port (netsh.exe http add sslcert ).
Having done all this, you should be good to go. The only real problems you should have are Chrome being very demanding about the configuration of your certificates and Firefox refusing to trust your CA certificate even though it is in your trusted certificate store. Bastard.
And for Edge, I can definitely guarantee if you do all the above it will work. If it doesn't, you need to consult the js console to see what errors it is throwing.
We have developed a .NET 4.5 application that runs an embedded (OWIN) webserver on localhost.
Some of its functionality requires us to make AJAX requests to that webserver from a public website on the Internet.
The problem is that that site uses HTTPS. Chrome now complains that there is unsafe content being loaded (which is correct).
To solve this, we would need to have our embedded webserver use SSL, so that there is no HTTPS-HTTP traffic. There are plenty of examples online of creating a self-signed certificate and binding that to a port, but our application needs to be distributed as well.
Is it possible (and how) to create a self-signed certificate for localhost (OWIN) that is actually redistributable?
I understand that this means that the connection is not trusted, because it's not verified by an SSL Authority, but we're only trying to use it so that there is no cross-protocol communication between the localhost and the public website.
We solved this in the end;
We are using SignalR and we distribute/install a certificate on the clients that is bought specifically for this purpose.
So our setup installs both the application and the certificate and binds it to the OWIN server. We got most of the information on how to do this via this blog:
https://weblog.west-wind.com/posts/2013/Sep/23/Hosting-SignalR-under-SSLhttps
It contains a detailed step-by-step description on how to get this to work.
EDIT:
Binding the certificate to the port is done by using the netsh command. We use InnoSetup to execute this for us. Info on how to do this is here.
Please note that we use a single certificate, and the command needs the certificate key in order to bind it.
This might be an issue using multiple (different) certificates, I'm not sure if it's possible to extract the key from the certificate to dynamically issue the command for different certificates. For a single certificate we had only a single key, and that was hardcoded.
It might be possible to extract the key, this is some info that might help in that regard.
I'm a not good at Web services and C#. I looked at other threads but I can't seem to find a solution. I think because I'm using SSIS I can't use WSE or WCF approaches.
I'm looking for a solution to exchange data between an application server and a secured web service. Overview:
There is a PFX file present which contains the client certificate and the private key.
The PFX is installed on the application server.
I can't approach the service endpoint through a browser e.g. internet explorer. Even with a certificate.
I received a SOAPUI project with already the bindings and methods defined (Can't insert the URL). I just needed to reference the PFX file in the settings. I compile a test for a method in the form of a SOAP message and I succesfully receive a response.
I need to generate the following SOAP header structure:
Picture
Now in C# how can I realize the same effect as in SOAPUI? At first I tried manually composing the soapmessage and posting it to the service, but I think this is not possible, because I can't seem to generate a security binary token. Now I'm thinking about generating proxy classes. Since I don''t have acces to the URL endpoint, I'll have to use offline versions of the WSDL + XSD's. Can the proxy class approach work with the web service security?
Basically you need to write custom script to consume web service in SSIS. First you need to install certificate on local machine. Then you will be able to consume it. SSIS provide support for web service, so you can use it. SOAPUI request is equivalent to web method.
MSDN Documentation: Call a Web service by using a client certificate for authentication.
Frequently, Web services must authenticate applications that call the Web services. The Web services must perform authentications of calling applications before the Web services can perform authorizations. One authentication technique is to require applications that call the Web service to present a client certificate.
When an ASP.NET Web application tries to call a Web service that uses
certificate authentication, you may receive an "access denied" error
message. When a console application or a Microsoft Windows Forms
application calls the same Web service, you do not receive an error
message.
This behavior occurs because the computer maintains two different
certificate stores: The local machine store: An ASP.NET Web
application looks in this store to locate client certificates. The
local user store: An interactive user application looks in this store
to locate client certificates. Typically, when an interactive user
application installs a client certificate, the client certificate is
installed in the local user store. Therefore, the client certificate
works for interactive user applications. However, the client
certificate does not work for ASP.NET Web applications.
To enable an ASP.NET Web application to use a client certificate, you
must install the client certificate in the local machine store. When
you install a client certificate in the local machine store, the
client certificate is only available for user accounts in the
Administrators group and for the user who installed the client
certificate. Therefore, you must grant access to the client
certificate for the user account that is used to run the ASP.NET Web
application.
Note You must have the Microsoft .NET Framework 1.1 Service Pack 1
(SP1) installed to use client certificates in the local machine store.
Additionally, when the ASP.NET Web application calls the Web service,
the application must export the client certificate from the
certificate store and then add the client certificate to the Web
service call.
Below are resources which would provide some starting point.
HOW TO: Write a Simple Web Service by Using Visual C# .NET
How to call a Web service by using a client certificate for authentication
Client certificate authentication with web services in .NET
Using authentication certificates to connect to web service
Accessing a web service and a HTTP interface using certificate authentication
Creating and Using C# Web service over HTTPS – SSL
I created a self hosted HTTPS WCF web service running on my Localhost machine. Now i make a request to this web service from a GWT based application hosted on some domain.
I use self-signed X.509certificate which is not approved yet. Whenever my GWT application make requests, It shows an error because of untrusted Certificate. Can i bypass this error from my GWT client code or suggest me an alternative solutions ?
Is there are any other protocol which supports WCF service that we can use for communication and will not trigger the security alert from browser?
Updated
Whole scenario:
You installed a exe in your system, which take cares of WCF web service and importing certificate to your local machine.
You open a GWT based website from your browser. Let's say some.com
some.com continuously polling a request to his/her local machine. Let's say on https://localhost:8098/{someendpoint}
But because of this HTTPS and untrusted certificate. It is not able to make request.
since you said
Let's start with local testing
How about installing your self signed certificate onto the machine on which you are testing the GWT ?
You should be able to double click the certificate and follow the prompts/wizard to install it.
This applies to development only (for production you'd need a proper certificate)
I have a web service and I want to call it from https. What is the solution?
This work for http.
Since I have a pretty good background in server setup, I will try and tackle this question.
First off, you need to set up SSL on your website. This involves buying a SSL Certificate or self signing one. Once you have a SSL certificate you need to set up your server to use it and serve your website through SSL.
As for you web code, the service you are hosting will work just fine under SSL as without. You will just have to change how you call it to use https:// instead of http://.
If you are trying to secure sensitive data you may want to set up your web server to redirect all non SSL requests to the the same path but under SSL by changing http:// in the path to https://. Any decent server administrator should know how to do this.