stackoom
  简体   繁体   中英

SSL Cert for WCF auth

 原文  2011-08-12 09:04:08       c#/ wcf/ ssl/ ssl-certificate/ wcf-security

Question

I've developed an application which starts several WCF Service which use the SecurityMode.Message to encrypt the communication.

It's working, but, it's very complicate, because we have to generate a SSL cert and put it in specific store, on the server and on the client.

The problem is that the customer which will use the program:

  • Is not in a domain(in fact, the server will certainly be in a domain, but not the client
  • Doesn't want to buy a cert

So what is my best shot? I only need to encrypt data, I don't need to ensure that I'm connecting to the right host.

I know I'm not in the best case, but the application will be used by some specific users.

Here is a part of my code which makes the connection:

Server side:

ServiceHost host = new ServiceHost(typeof(MyServiceType))
WSHttpBinding binding = new WSHttpBinding
{
    ReaderQuotas = { MaxStringContentLength = int.MaxValue, MaxArrayLength = int.MaxValue,     MaxDepth = int.MaxValue, MaxBytesPerRead = int.MaxValue, MaxNameTableCharCount = int.MaxValue },
    MaxReceivedMessageSize = int.MaxValue
};
TimeSpan timeoutSpan = TimeSpan.FromMilliseconds(timeout);
binding.CloseTimeout = timeoutSpan;
binding.OpenTimeout = timeoutSpan;
binding.ReceiveTimeout = timeoutSpan;
binding.SendTimeout = timeoutSpan;
binding.ReliableSession.InactivityTimeout = timeoutSpan;

binding.MaxBufferPoolSize = int.MaxValue;
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
host.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, ConfigurationManager.AppSettings["Hostname"]);
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
host
.AddServiceEndpoint(services[port], binding, String.Format("http://localhost:{0}", port));

Client side:

string remoteAddress = String.Format("{0}://{1}:{2}", Tools.GetDescription(accessInfo.ServiceHost.Protocol), accessInfo.ServiceHost.HostName, accessInfo.PortNumber);


// avoid seralization/deserialization problems with large XML's
WSHttpBinding binding = new WSHttpBinding();
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.MaxReceivedMessageSize = int.MaxValue;
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.ReaderQuotas.MaxDepth = int.MaxValue;
binding.ReaderQuotas.MaxBytesPerRead = int.MaxValue;
binding.ReaderQuotas.MaxNameTableCharCount = int.MaxValue;
TimeSpan timeoutSpan = DateTime.Now.AddMinutes(30) - DateTime.Now;
binding.CloseTimeout = timeoutSpan;
binding.OpenTimeout = timeoutSpan;
binding.ReceiveTimeout = timeoutSpan;
binding.SendTimeout = timeoutSpan;
binding.ReliableSession.InactivityTimeout = timeoutSpan;
binding.MaxBufferPoolSize = int.MaxValue;

//we set the security type
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;


ChannelFactory<TService> channelFactory = new ChannelFactory<TService>(binding, remoteAddress);

_service = channelFactory.CreateChannel();

Please note that I removed the part concerning my custom auth to have a more clean code

1 answers

solution1
 4 ACCPTED  2011-08-12 10:43:10

Your customer wants security outside of windows domain = your customer wants certificate. No certificate = no security. That is what you must explain to your customer.

You just need to have certificate with private key on the server and client must trust that certificate (it doesn't have to install it if it trust a publisher). What does it mean? You have three options:

  • Your customer must buy certificate from trusted publisher and your clients will simply work
  • Your customer must have its own certificate authority installed which will generate the certificate and clients must have certificate of the authority in their trusted root authorities store (every bigger company has its own certificate authority).
  • You will use self signed certificate in the production. This is "less secure" and not recommended. The less secure means that your client must trust self signed certificate and it cannot validate certificate chain = it cannot validate that certificate was issued by trusted authority and it cannot validate that certificate authority revoked compromised certificate. In this scenario you must install service certificate on each client - it is the only way to trust self signed certificate (installing itself is actually the trust).

That is the way how security works. You can build your own - you will put a big effort in that but at the end you will still need PKI (private key infrastructure) with asymmetric encryption to make it really secure. Certificates are mostly about wrapping, storing and transferring public and private keys.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WCF with windows auth and SSL WCF service client with cert auth, works when debug, but not live WCF Client 4.5 C# using CA certificate authority ssl cert. Need assistance, given up WCF Service over HTTPS without IIS, with SSL Certificate from CERT and KEY strings or files WCF HTTPS SSL Self Hosted Cert. How to Get Working Correctly? SSL TCP connection on Android (with cert) Install SSL Cert for single application? WCF SSL .pfx Binding WCF: Cache SSL data Selfhosted WCF and SSL (Again)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM