Securing WCF (Windows Communication Foundation) transport wit SSL

Securing WCF (Windows Communication Foundation) transport

 

WCF provides mechanism of securing of communication between client and WCF-service by using of message and/or transport mode.

 

However, when transport mode (basic transport security) is used, using of X509 certificate is required.

 

Before SSL can be used at all, the X509 certificate is required for the web server, which hosts your service. Additionally, you need to install the certificate of the web server on your machine, which hosts the client. Depending on the issuer of the certificate it may be required to install the whole certificate chain on your machine too.

 

Unfortunately the testing environment sometimes might not satisfy high security policy around SSL. In general, the underlying infrastructure can mostly fail because of following problems:

 

1. The certificate cannot be found for any reason
2. One of issuers in the chain cannot be validated successfully
3. The name of the certificate is invalid or does not match the name of the site. 

All three errors are defined in the following enumeration:

 

 

namespace System.Net.Security

{

  [Flags]

    public enum SslPolicyErrors

    {

        None = 0,

        RemoteCertificateNotAvailable = 1,

        RemoteCertificateNameMismatch = 2,

        RemoteCertificateChainErrors = 4,

    }

}.

 

If any of listed policies is not satisfied the calling of any remote operation will fail with following error:

 

System.ServiceModel.Security.SecurityNegotiationException

 

“Could not establish trust relationship for the SSL/TLS secure channel with authority ‘your machine name’

Or

 

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

 

In the productive environment you just have to solve the problem. However, during development you will probably not have a time to take a care about the infrastructure problems. In that case the event ServicePointManager.ServerCertificateValidationCallback could help you.

 

During handshaking process at the transport layer, this event id is fired to give you a chance to implement the custom certificate validation mechanism.

 

Following code shows how to do that:

 

private static void Net30BasicAuthentication(){

HelloWorldServiceSoapProxy proxy = new HelloWorldServiceSoapProxy("HelloWorldServiceSoap");

proxy.ClientCredentials.UserName.UserName = "username";

proxy.ClientCredentials.UserName.Password = "pwd";

ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);

proxy.HelloWorld();

}

private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error){

if (cert.Subject == "CN=dado-nb1, OU=Development, O=DAENET, L=Frankfurt"){

return true;

}

return false;

}

Each time the certificate has to be validated against SSL policy the event is fired. If the callback retrieves TRUE the certificate is declared as successfully validated.

For more information about validation callbacks take a look here.

 

 

---

Posted Jun 29 2006, 03:58 PM by Damir Dobric

Filed under: Core.Net, WCF