Securing WCF (Windows Communication Foundation) transport wit SSL

Damir Dobric Posts

Next talks:

 

Damir@Phone    

Follow me on Twitter: #ddobric



 

 

Archives

Securing WCF (Windows Communication Foundation) transport

 

WCF provides mechanism of securing of communication between client and WCF-service by using of message and/or transport mode.

 

However, when transport mode (basic transport security) is used, using of X509 certificate is required.

 

Before SSL can be used at all, the X509 certificate is required for the web server, which hosts your service. Additionally, you need to install the certificate of the web server on your machine, which hosts the client. Depending on the issuer of the certificate it may be required to install the whole certificate chain on your machine too.

 

Unfortunately the testing environment sometimes might not satisfy high security policy around SSL. In general, the underlying infrastructure can mostly fail because of following problems:

 

  1. The certificate cannot be found for any reason
  2. One of issuers in the chain cannot be validated successfully
  3. The name of the certificate is invalid or does not match the name of the site. 

All three errors are defined in the following enumeration:

 

 

namespace System.Net.Security

{

  [Flags]

    public enum SslPolicyErrors

    {

        None = 0,

        RemoteCertificateNotAvailable = 1,

        RemoteCertificateNameMismatch = 2,

        RemoteCertificateChainErrors = 4,

    }

}.

 

If any of listed policies is not satisfied the calling of any remote operation will fail with following error:

 

System.ServiceModel.Security.SecurityNegotiationException

 

“Could not establish trust relationship for the SSL/TLS secure channel with authority ‘your machine name’

Or

 

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

 

In the productive environment you just have to solve the problem. However, during development you will probably not have a time to take a care about the infrastructure problems. In that case the event ServicePointManager.ServerCertificateValidationCallback could help you.

 

During handshaking process at the transport layer, this event id is fired to give you a chance to implement the custom certificate validation mechanism.

 

Following code shows how to do that:

 

private static void Net30BasicAuthentication(){

HelloWorldServiceSoapProxy proxy = new HelloWorldServiceSoapProxy("HelloWorldServiceSoap");

proxy.ClientCredentials.UserName.UserName = "username";

proxy.ClientCredentials.UserName.Password = "pwd";

ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);

proxy.HelloWorld();

}

private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error){

if (cert.Subject == "CN=dado-nb1, OU=Development, O=DAENET, L=Frankfurt"){

return true;

}

return false;

}

Each time the certificate has to be validated against SSL policy the event is fired. If the callback retrieves TRUE the certificate is declared as successfully validated.

For more information about validation callbacks take a look here.

 

 


Posted Jun 29 2006, 03:58 PM by Damir Dobric
Filed under: ,

Comments

Damir Dobric wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 07-15-2006 0:15
I have posted the full example here:
http://developers.de/files/9/damir_dobric/entry739.aspx

Kumar wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 03-23-2008 23:49

Thanks a lot, this saved lot of time today

Dejan wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 07-25-2008 15:28

puno hvala, i meni si ustedeo puno vremena

honza wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 01-23-2009 20:25

thanks a lot!

Englishbob wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 01-29-2009 19:02

Yup, saved me time too. Thanks.

The underlying connection was closed... its very urgent | keyongtech wrote The underlying connection was closed... its very urgent | keyongtech
on 02-03-2009 15:08

Pingback from  The underlying connection was closed... its very urgent | keyongtech

.net Wand wrote Webclient downloading content/files from an Https (SSL)
on 10-05-2009 11:13

i was using the webclient object to download files from a website and my application worked fine. my

LiS wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 10-13-2009 7:50

Thanks! Have been trying to fix this trouble for so long...

traslochi internazionali milano wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 12-08-2009 10:57

I was just thinking about Securing WCF (Windows Communication Foundation) transport wit SSL and you have really helped out. Thanks!

Kautuk wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 01-28-2010 11:59

Thank you! Now I can move on to the 404 error :(

gromas wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 05-26-2011 17:47

Nice article! Thanks.

Steve Ruiz wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 06-01-2011 21:37

Thank you very much for this post!

Tim wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 09-06-2011 19:55

Thank you, this worked and saved me a ton of time!

Omar S wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 09-21-2011 14:02

Wow, super tips. Hvala Damire.

Nazri wrote re: Securing WCF (Windows Communication Foundation) transport wit SSL
on 02-18-2012 8:29

You need to ecapse all instances of * here, since they're all being used in shell commands.  Great otherwise, this will be my new reference for the next time I need to generate SSL certificates :)

WebClient + HTTPS Issues | Ask & Answers wrote WebClient + HTTPS Issues | Ask & Answers
on 10-30-2013 10:52

Pingback from  WebClient + HTTPS Issues | Ask & Answers

WebClient + HTTPS Issues | Technology & Programming wrote WebClient + HTTPS Issues | Technology & Programming
on 11-07-2013 10:05

Pingback from  WebClient + HTTPS Issues | Technology & Programming

developers.de is a .Net Community Blog powered by daenet GmbH.