As a part of a larger application I need to implement an SSL tunnel in C#. I was wondering if there's a better way of doing that instead of writing each step of SSL negotiation myself which sounds like reinventing the wheel.
Do you know if there are any libraries that I could use to minimize the code I need to write or any tutorials which show how this or similar thing can be implemented most efficiently in .NET?
SSlStream should do most of the work for you.
It's not clear what you mean by SSL tunnel. If I understand it right, you need some client-side software which acts as a local server (to which other applications connect), this software then connects using SSL to your server-side software, which in turn takes the data out of the SSL tunnel, and routes them further. In this case you would need client-side and server-side SSL/TLS components. You can use our SecureBlackbox for this task. SecureBlackbox provides comprehensive support for SSL/TLS protocol with complete control over connection and certificate management.
It can be that you need not plain SSL channel, but some kind of encrypting proxy. In this case you need to decide what exactly kind of proxy you want (will it be SOCKS proxy or HTTP CONNECT proxy) and implement it on the client side. one of the benefits of such proxy is that it can transfer the real connection address (i.e. where the client wants to go to) to the remote server, and that remote server will perform connection. This is more flexible approach, but it would require some (minimal, I should say) coding to implement the stuff, related to SOCKS or HTTP CONNECT request parsing and response generation.
.NET includes SSL support, centred around the System.Net.Security.SslStream class.
Related
I am trying o figure out how CoAP server handles authentication. DTLS seems to be the only option. However I could not find any clear example of it for .NET. I have also seen a mention about cookie on server side but that is all, no more information.
https://github.com/chkr1011/CoAPnet seems to be a good library. They also have a client example but I sould not find server example of it. Projest seems to have CoAP server as well, however I could not find it in source code.
Can any client send requests to the server if url is known? Is DTLS the way to go? Is there any server/client example of DTLS in C#?
If a java server will also help, have a look at eclipse/californium. We run a sondbox at "californium.eclipse.org" and if you want to "connect" a client, you may just use the "openssl" PSK demo credentials "Client_identity" and "secretPSK".
Can any client send requests to the server if url is known?
That depends on the protocol variant. Without encryption (plain coap), yes. Some projects then use a "token" in the request, to authenticate the request (see ThingsBoard). With encryption (DTLS, coaps), you need valid credentials, e.g. PSK (as above), a x.509 certificate or a Raw Public Key certificate. There are also setups, where only the server authenticates itself using x.509, and the client then uses the already encrpyted communication to authenticate with an other mechanism (e.g. username/password, so very similar to the model, mostly used with https).
The most pain is usually to find implementations, which could be used in the intended/wanted way. Maybe some projects helps you, to adapt the implementation.
Is DTLS the way to go?
In my opinion, yes. The alternative with OSCORE (payload encryption) are currently in development, we will see, if that changes the game.
Is there any server/client example of DTLS in C#?
I don't know that. Maybe you ask that the project you already found. Or ask here CoAP-CSharp
I'm new to gRpc and now learning this tech
I'm wondering if gRpc can replace SignalR for updating notification bar on my client-side app (React).
Is that the case? or should I keep using SignalR for this matter?
(I'm asking it just to make sure I understand the purpose of the gRpc tech, by few articles I read it's more a web API replacement and few others compare it to SignalR)
Thanks!
y-me
Assuming you meant browser-based clients, then NO you cannot use gRPC. The gRPC protocol relies on HTTP/2 framing and in particular the ability to send and receive HTTP trailers. While browser themselves can and do use HTTP/2, current browser APIs (XHR/Fetch) don't expose HTTP/2 semantics.
There is however an alternative protocol, gRPC-web, that supports a subset of gRPC functionality you can utilize from a browser-based application. Given that it is a different protocol, your server will need to support it or you will need to employ a proxy like Envoy that can translate gRPC-web calls to gRPC.
I can't answer your question has if it is usable for Server/Client communications, just offer some thoughts. SignalR is made for the purpose of real time communications between Client and Server because of it's adaptability, and gRPC by it's constraints (HTTP/2 and HTTPS) is more reserved for backend micro-services communications.
Want to have a ssl C# server that will only send and receive small JSON strings.
The clients can be anything from mobile devices or computers.
Need some feedback what to chose since some clients maybe have ssl limitations or other limitations.
Should i create an (openssl)ssl ftp socket server?
Should i create an HTTPs server?
should i create something else????
The HTTPS looks like easiest because of it's long history and width usage.
any feedback would be grate
Give a chance to WCF.
It has a very strong customizable stack, with externalizable configuration files, for both server and client side.
Moreover, it can publish services over multiples wires. This may help you to address a maximum of situations like "simple" https encryption to certificate validation.
You can even define your own channel for ultra specific contexts.
A last word from a developer perspective: the idea of WCF is to decouple the service from its connectivity. In today world, it's a huge advantage.
HTTPS is HTTP over SSL/TLS: you first establish an SSL/TLS connection and then you exchange HTTP requests and responses on top of it (as if it was a plain TCP connection).
Since you want to use SSL/TLS in both cases, what you seem to be asking is whether you should design your own protocol or use an existing one.
Should i create an (openssl)ssl ftp socket server?
There are multiple ways of securing FTP with SSL/TLS. It's certainly not the easiest way to go.
Should i create an HTTPs server? should i create something else????
Designing your own protocol means that you'll have to provide an implementation for each device yourself. HTTPS has the advantage of being widely supported. You shouldn't even have to use much of the underlying SSL/TLS API yourself (no need to learn the OpenSSL API). The only requirements might be to learn about some SSL/TLS configuration, such as setting up certificates.
Even if you're thinking of reducing the overhead due to the HTTP headers, your protocol will still have to perform similar payload management one way or another, at least to know where the requests and responses start and end.
It's unclear what your requirements are, but unless you really notice problems with HTTPS, exchanging JSON strings with HTTPS with an existing library (e.g. WCF) makes more sense than your other suggestions.
I would like to handle HTTP on very low level - at the moment I'm stuck with HTTP CONNECT verb. It looks like HttpListener doesn't have access to these request because they are handled somewhere inside HTTP API or HTTP.SYS. I'm able to handle such requests with native TcpListener but in such case I would lose all HTTP functionality = I would implement HTTP from scratch.
I also checked FiddlerCore but it also handles these requests on some Win API layer. Is there any pure .NET HTTP stack?
Edit: I'm working on HTTP proxy with some additional request analysis and statistics so I don't want to lose HTTP parsing and in the same time I want to know about SSL connections.
Use Tcp* ans Socket*, not Http* related classes to use really low level in .NET.
TCP is at the bottom of HTTP protocol stack.
Use TCP sockets if you want it to, just use "winsock2.dll" interop calls form c#, and all related stuff like structure definitions etc, or use native C++
Well, if you are building your custom HTTP/HTTPS server or proxy and you don't mind third-party components, then our SecureBlackbox includes HTTP/HTTPS server components which let you do almost anything with any verb. Pure .NET, use any socket classes.
Ok. Again the problem is not in API but in developer :)
I have some test suite to test my implementation but the test suite was connecting directly (not as to a proxy) - that was the first problem. The second problem was that this test suite should use TcpClient instead of HttpWebRequest if I want to test Connect verb separately because HttpWebRequest uses it only internally when using proxy for HTTPS.
BACKGROUND INFORMATION: PROGRAM WRITTEN IN C#
I'm working on a program right now that connects through a SOCKS5 proxy (coded from scratch. works well enough.), but I'd also like to (through that proxy) communicate to a DESTINATION through SSL.
I've done some research, googled many a time, and have come to the conclusion that SslStream won't be ideal for my situation. I NEED to first authenticate with the SSL through the proxy, and THEN start sending encrypted packets, once I receive the key.
QUESTIONS:
How can I encrypt my packets with TLS in C#? For some reason I can't at all figure it out. I'm stuck! :(
What is the raw syntax required to even REQUEST said SSL certificate?
You might want to have a look at the TLS implementation in the open source Bouncy Castle cryptography library. If it won't work as-is, you can hack it into doing what you need. If you want to deep-dive the specification itself, you'll find it as IETF RFC 5246.
As you've probably discovered, though, doing any portion of the connection setup work yourself leaves you with no way to use the WebRequest family of classes to handle the HTTP portion of the protocol work. That leaves you with two options I can see: do the HTTP yourself as well (I found a trivial example HTTP client floating around the net), or change the current user proxy server settings
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="socks=socks.example.net:1080"
then send the request normally using the WebRequest classes.
I'd like to offer you SSLBlackbox package of our SecureBlackbox product. Among numerous other components it has a simple SSL client component that is socket-based, can connect via different proxies (SOCKS, HTTPS CONNECT) and supports all features of SSL/TLS up to TLS 1.2. If you need more control, you can use any custom socket, and not just built-in socket support. This lets you use the components for securing traffic that goes not via sockets at all (pigeon mail can be secured this way as well).
An HTTPS client is available and included into SSLBlackbox as well.