The problem is as follows:
We have a SOAP API running behind TLS1.2 and SNI
Our main software is stuck on JDK6 where it is basically impossible to connect to a server using SNI
We need to use Axis 1.4 for SOAP calls
We have set up a simple Apache Proxy rerouting calls to http://proxyIP/foo to https://mainIP/
The proxy works like a charm when tested manually or in a browser.
However, using Axis to do the required SOAP calls fails with an Exception:
Unrecognized SSL message, plaintext connection?
What could cause this and how could we fix this?
Every idea is appreciated.
Related
I have a custom coded relay server application in VB.NET that is currently deployed as a windows service.
It accepts HTTP web requests from a client using a Tcp Listener, parses the requests and forwards it to another remotely hosted service via socket communication. The result from the service is then sent back by my relay server to the original client as a http response.
This functionality works perfectly as of now, but I would now like to upgrade my relay server to accept HTTPS requests instead of http.
I am not sure how to move ahead with this scenario.
I researched and found the following 2 options but I am not sure which is better and feasible?
One, I explicitly upgrade my current code to handle https handshake, certificate validation etc (if so, how?) or second option, can my current application be hosted on IIS to handle this scenario (if so, how)?
Thanks in advance.
A possible solution is to use IIS with Application Request Routing (ARR) as a reverse proxy in front of your service (its not possible to "Host" your service in IIS as such).
You could setup IIS/ARR with a certificate and suitable HTTPS binding, then configure ARR to proxy the HTTPS requests onto your service listening on HTTP. No changes required to your service's code.
Take a look at the following example: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
In your case your service listening on port 80 is no different to a website running in IIS. The above example is more complicated than you need (as its reverse proxy'ing 2 websites based on a prefix of the URL), but it gives you a starting point.
A further possible step to force all traffic to use HTTPS would be to change the port your service uses (eg to 8080 instead of 80), then setup IIS to handle port 80 to perform a redirect to 443, and then use 443 and ARR to proxy your traffic to your service on 8080.2
We are using Axis 2 framework to consume an external service for which we need to route the call thru a forward proxy server. I am using the below code to prove it out in lab but seems on actual proxy server (Which is https://.....) I don't seem to have a way to interact with Axis 2 (ServiceClient) which internally is using CommonsHttpTransportSender something with which it understands that hostname being passed is to be used with HTTPS scheme.
Is there an easier way to achieve this with CommonHttpTransportSender?
Options o = s._getServiceClient().getOptions();
HttpTransportProperties.ProxyProperties proxyProperties = new HttpTransportProperties.ProxyProperties();
proxyProperties.setProxyName(config.getForwardProxyServer());
proxyProperties.setProxyPort(config.getForwardProxyPort());
o.setProperty(HTTPConstants.PROXY, proxyProperties);
After reading the RFC for Web proxy tunneling, I realize the requirement in itself is wrong, Forward proxy usually listens on HTTP protocol and simply facilitates a tunnel between client and server, if the proxy has to act as listening on HTTPS, then it would be more of a case for reverse proxy which wouldn't be applicable for HTTP proxy as question above originally stated!.
CommonsHttpTransportSender internally uses Commons HTTP Client 3.1 which uses HTTP Proxy as per RFC.
this is my first WCF project.
I define end point protocol of http - and i just change it to wshttp.
I trying to connect to the server from the client ( that was connected to same server when it was http ) and i get message
"The service certificate is not provide. Specify a service certificate in ServiceCredintials ... "
I dont know how to solve this problem
Thanks for any help.
wsHttpbinding is secure by default and uses tranport\message security(don't remember exactly which one). Hence you are seeing this error. The server component (assuming IIS) needs to have a certificate installed and SSL enabled. Google around to find how to enable wshttpbinding on an endpoint.
I have a Self-Hosted (Console App) WCF REST service with the following binding:
WebMessageEncodingBindingElement
HttpsTransportBindingElement (ManualAddressing=true, KeepAliveEnabled=true, AllowCookies=false, HostNameComparisonMode=Exact)
This is exposed over an HTTPS URL ("https://mylaptop/myendpoint")
I have a self-signed certificate issued to "mylaptop" that I assign using myServiceHost.Credentials.ServiceCertificate.SetCertificate. The certificate is added successfully, and the ServiceHost opens successfully (no exceptions). If I type "netsh http show servicestate", I can see that there's a successful registration at https://mylaptop/myendpoint with HTTP.SYS
However, when I issue a GET to the endpoint, it doesn't work. It seems like the socket is dropped even before a valid HTTP response is obtained. (FireFox says "connection to the server was reset", IE says "cannot display the webpage", and if I do the request through Fiddler it says "connection was forcibly closed by the remote host").
Everything works fine when I use HTTP instead of HTTPS.
Any idea what could be going wrong in the HTTPS case?
You probably need to use httpcfg.exe to reserve your endpoint with HTTP.SYS correctly with a configured X.509 certificate for SSL. The steps to get it done are documented here.
Or use HttpCfgGui- a much friendlier interface to setting up the server certs w/ HTTP.SYS. This is a must-install on all my servers that do HTTP w/ WCF.
Here is my scenario:
I have a proxy that actually has the SSL Cert installed and this sits in front of a load balanced web farm. Each IIS server does not have SSL so I can't use transport security via wsHttp binding. I have not investigated basicHttp because we want to provide SOAP 1.2 going forward w/ this solution. In addition to this, my network team won't allow any use of certs to encrypt at the message level. (this alone would solve my dilemma i'm sure)
My security group has a requirement that we use Forms Authentication (membership provider).
The final solution must allow SSL via the front proxy, yet some type of WCF binding to keep complexity encapsulated in a config file.
I was working with a custom binding that allowed for username/password sent via clear text, but when I try to connect via https i get the usual "http expected" uri error.
How can I use SSL via the proxy to connect securely from client app to web service, but not have SSL installed on IIS and leverage the WCF stack + forms authentication?
I'm not new to WCF, but this very custom setup seems to have me unsure if the requirements allow for any type "easy" solution.
Thank you in advance!
EDIT: I did finally get this working and decided to write a short blog post with complete source code required to write the custom binding.
I think this is similar to a problem many have had when wanting to provide WCF services over SSL when the actual service in IIS is behind an SSL-offloading device. In which case, the following two pages should help you out:
http://blog.hackedbrain.com/archive/2006/09/26/5281.aspx
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/87a254c8-e9d1-4d4c-8f62-54eae497423f/
Basically you need to lie to WCF and say that the service is secure, even though the traffic will be conducted over HTTP (between the service and the proxy).