To establish the HTTP communication WCF uses internally HttpTransportBindingElement for HTTP and HttsTransportBindingElement for HTTPS. Both binding elements are implemented on the top of System.Net.HttpListener which is a part .NET2.0.
This class utilizes the http.sys driver which is the HTTP protocol implementation hosted in the windows kernel. This is a reason why this functionality (HttpListener) is on XP SP2 and newer available only.
Usually, when the WCF service has to support SSL and when IIS is used as host, there is a nice GUI in internet connection manager, which gives you possibility to easy install the certificate for SSL.
Unfortunately, the HttpListener is not a product, and the configuration is little more sophisticated.
So, our goal is to configure HttpListener to be able to host the WCF service over SSL.
Creating and installing of the server certificate for SSL
Before the listener can be configured, first the required server certificate has to be created and properly installed:
Following line shows how to create the test X509 certificate which will be used for SSL communication at the machine 192.168.100.186.
makecert.exe -sr LocalMachine -ss My -n CN=192.168.100.186 -sky exchange -sk -pe
Note that this machine (with IP 192.168.100.186) will host the WCF service, which should support the HTTPS. Please also note that the test certificate created with the makecert tool is signed by virtual trust center ‘Root Agency’ (self signed for testing purposes only).
After this command is executed, the new certificate with the private key is created and stored in the LocalMachine Personal store. To see it, use the MMC-certificate snap-in.
After this step the HttpListener could be configured. However in the test scenario there will be a client which will probably run at the same machine. Because of this execute following command to install the newly created server certificate in the user’s “Trusted People” store.
certmgr.exe -add -r LocalMachine -s My -c -n 192.168.100.186 -r CurrentUser -s
This command reads the server’s certificate (created in the previous step with makecert.exe) with the friendly name CN=192.168.100.186 from the LocalMachine “Personal” store and make one copy in the CurrentUser “Trusted People” store.
This establishes the client’s trust to the certificate.
Configuring HttpListener
First you have to do is to download the required tool HttpCfg.Exe, which is a part of Windows XP SP2 Support Tools (download here).
Here are some examples:
Configure HttpListener to provide SSL at all IP-addresses, but on the port 999.
Httpcfg.exe set ssl -i 0.0.0.0:999 -h e81bada10ffddf6fce0628ab491eecf8d2a4d070 -Personal
The value specified in the argument –h is the certificate's thumbprint (hash), which can be copied from any certificate viewer. I used MMC cetificates snap-in to browse for certificate. Under details tab, select Thumbprint and copy the binary-value. Finally, remove all blanks.
Following command is useful to show what certificates are already configured:
Httpcfg.exe query ssl
After executing, following result could appear:
IP : 0.0.0.0:999
Hash : 2b7f1ebe2ae632c5d7328a8f849ffde0b4 3c07c
Guid : {00000000-0000-0000-0000-000000000000}
CertStoreName : MY
CertCheckMode : 0
RevocationFreshnessTime : 0
UrlRetrievalTimeout : 0
SslCtlIdentifier : (null)
SslCtlStoreName : (null)
Flags : 0
Sometimes it is useful to delete the previously configured certificate, before the new one is installed:
Httpcfg.exe delete ssl -i 0.0.0.0:999
More information about this tool can be found here.
Implementing and configuring service and client
The required configuration is shown bellow:
<services>
<service name="Microsoft.ServiceModel.Samples.CalculatorService">
<endpoint address="https://192.168.100.186:999/wcftest"
binding="basicHttpBinding"
bindingConfiguration="Binding2"
contract="Microsoft.ServiceModel.Samples.ICalculator">
</endpoint>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="Binding2">
<security mode="Transport">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
Note that the specified address has to match the address used by configuring of the HttpListener. In this case this was 0.0.0.0:999, which matches the address used in the endpoint: https://192.168.100.186:999/wcftest.
Remember that the hostname specified in the address has to be the same as the given friendly name of the certificate. In this case the IP address has been used as the name. Otherwise the certificate trust-check will fail.
If there are any problems (you will have them for sure) during “preparation” of the infrastructure for this example it is useful to use following handler, which catch any trust-error:
ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);
private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error){
return true;
}
If the error is argument “error” is “None” all worked fine. Note that return true means that all errors will just be ignored. Never use this code in the productive environment!
The full very simple example can be found here.
(httpconfig.exe)
Posted
Aug 01 2006, 06:58 PM
by
Damir Dobric