I want to write a WCF service (self-hosted) that should use https.
By searching the web I found a blog article from msdn that tells me
to use the "netsh.exe" command to bind the certificate to the endpoint
by commandline:
http://blogs.msdn.com/b/james_osbornes_blog/archive/2010/12/10/selfhosting-a-wcf-service-over-https.aspx
However, is this still state of the art?
Why not use this:
http://msdn.microsoft.com/de-de/library/system.servicemodel.description.servicecredentials.servicecertificate(v=vs.100).aspx
Or do I miss something?
Thanks for any help.
So I finally found out why I need to use the netsh command:
Check this article:
https://msdn.microsoft.com/en-us/library/ms789011%28v=vs.110%29.aspx
From this article:
If the transport is HTTP (using the WSHttpBinding), SSL over HTTP provides the transport-level security. In that case, you must
configure the computer hosting the service with an SSL certificate
bound to a port, as shown later in this topic. If the transport is
TCP (using the NetTcpBinding), by default the transport-level security
provided is Windows security, or SSL over TCP. When using SSL over
TCP, you must specify the certificate using the SetCertificate method,
as shown later in this topic.
So you can only use the Property for tcp binding.
If you use ssl over http, you need to bind a certificate to a port by netsh command
Related
I've a WCF project and just started to integrate endpoints listening to https.
For testing I've created a self-signed certificate using this
article.
The certificate is valid:
Now I'm trying to consume the services that are listening to https, but the connection via OpenSSL command line tools fails:
CONNECTED(00000003)
write:errno=54
Also the -debug switch does not give any information.
Furthermore I've configured wcf tracing in order to resolve the error.
This gives me only information about the endpoint is listening to https but not anything about the connection error.
Can you please help me?
There was an issue with the certificate.
I've now created a CA certificate, intermediate (in order to support 2-step-validation) and the service certificate.
Furthermore it was necessary to link the certificate with the port of the service using netsh (netsh http add sslcert ipport=0.0.0.0:[your_port] certhash=[hash_of_cert] appid=[uuid]
here i am asking few basic question about wcf ssl & certificate
i am new in wcf and also to be very honest that i have basic problem to understand the SSL & certificate.
1) i like to know that when we enable SSL then every time we need to use certificate or the same way when we attach certificate with wcf then SSL will be used implicitly.
2) SSL & Certificate both are same or different in concept ?
3) when we self host wcf service then can we enable SSL or certificate...which one will be applicable ?
4) tcp binding for certificate is not related with http. so when we work with tcp binding then can we enable SSL for tcp binding.
5) what is difference between SSL & Certificate ?
6) when we use certificate at service end then client end which consume & call the service they always need to install certificate. if not then when client need to install certificate & when not required. one guy told me that client need to install certificate only when mutual authentication is required but i do not know about what mutual authentication ?
i know i asked very basic question. if possible please explain all my points in details to clear my doubts. thanks
UPDATE
1) i like to know that when we enable SSL then every time we need to use certificate or
the same way when we attach certificate with wcf then SSL will be used implicitly.
you said as follows :-
When enabling Transport security the endpoint address must include the HTTPS protocol,
otherwise an exception will be thrown when you go to start the service. For HTTPS to work on that endpoint,
then you need an X.509 Certificate bound to the specified port as well.
why you said this :- When enabling Transport security the endpoint address must include the HTTPS protocol
https come to play when we host our wcf service in IIS. suppose when we host wcf service in self host
and tcp used as binding then why we need to include https in endpoint because you said enabling Transport
security and endpoint address must include the HTTPS protocol....is it correct ? may be i could not understand
what you are trying to say. can you please explain in detail what you are trying to say for the point 1
6) when we use certificate at service end then client end which consume & call the service they always
need to install certificate. if not then when client need to install certificate & when not required.
one guy told me that client need to install certificate only when mutual authentication is required
but i do not know about what mutual authentication ?
here i just trying to know that when wcf service will hosted and attached with certificate then is it mandatory
that client who consume the service he/she need to use certificate at client end ?
i guess it is not mandatory. only two end use certificate when mutual authentication would be consider.
am i right ?
in case of mutual authentication server & client end need to install or use same certificate or client can use different certificate purchase from abc.com and server end purchase certificate from xyz.com.
please clearly discuss my above two points in details. thanks for your time & answer.
Okay here we go:
1) i like to know that when we enable SSL then every time we need to
use certificate or the same way when we attach certificate with wcf
then SSL will be used implicitly.
When enabling Transport security the endpoint address must include the HTTPS protocol, otherwise an exception will be thrown when you go to start the service. For HTTPS to work on that endpoint, then you need an X.509 Certificate bound to the specified port as well.
2) SSL & Certificate both are same or different in concept ?
SSL certificates are a type of X.509 Certificate*. In TLS (which SSL is a predecessor of), virtually all certificates are X.509 certificates.
3) when we self host wcf service then can we enable SSL or
certificate...which one will be applicable ?
When using Transport level security, the Self-Hosted Service will make use of the X.509 certificate bound to the port of the endpoint that it is listening at. Setting the service certificate will have no impact in this case.
4) tcp binding for certificate is not related with http. so when we
work with tcp binding then can we enable SSL for tcp binding.
Yes, Transport level security provided for TCP is Windows security by default which is SSL over TCP. When using SSL over TCP, you must explicitly specify the certificate by using the SetCertificate method on the Self-Hosted Service.
5) what is difference between SSL & Certificate ?
As stated above, essentially SSL is a subset of X.509 Certificates - technically speaking the relationship isn't as simple as that, but typically you use X.509 Certificates for SSL\TLS.
6) when we use certificate at service end then client end which
consume & call the service they always need to install certificate. if
not then when client need to install certificate & when not required.
one guy told me that client need to install certificate only when
mutual authentication is required but i do not know about what mutual
authentication ?
Mutual SSL authentication is when the client and server each provide a digital certificate so each party can verify the identity of the other. Here's a great article on Mutual SSL Authentication if you're interested.
This isn't necessary though and only one of the many options you have when using Transport security - see more options here: HttpClientCredentialType.
You can also still do security at the Transport level while passing credentials at the Message level by using TransportWithMessageCredential - then you can use set Client Credentials to use a BasicHttpMessageCredentialType and use UserName instead.
*: Other types of certificates can be used for SSL\TLS such as OpenPGP - but it is far from common.
I'm using django-celery do connect to a RabbitMQ broker through SSL (with the BROKER_USE_SSL setting). Is there a way to:
Verify the certificate of the broker when the connection is established.
Configure a client certificate to us to establish the connection.
The RabbitMQ side is working correctly, but I don't know how to configure Celery for this and I haven't found anything in Celery's documentation either. The settings CELERY_SECURITY_KEY, CELERY_SECURITY_CERTIFICATE and CELERY_SECURITY_CERT_STORE look like they could do this, but it seems that they're only used for message signing.
kombu.Connection accepts ssl argument as a dictionary of SSL configuration (ssl=False by default). I suppose it is applicable for BROKER_USE_SSL too.
BROKER_USE_SSL={
'ca_certs': '/etc/pki/tls/certs/something.crt',
'keyfile': '/etc/something/system.key',
'certfile': '/etc/something/system.cert',
'cert_reqs': ssl.CERT_REQUIRED,
}
We have a WCF Self hosted application that uses SSL but we have it on port 15014. I when through and did everything that MSDN lists for attaching the SSL cert to the port and the code. It works when i browse to 'https://secure.mydomain.com:15014'. The issue is when i look at that connection through wireshark i only see tcp as the protocol and not SSLv?. I don't see any client handshake at all. This leads me to believe that it is not really secure. Am i correct on this?
Le'ts say you open a tcp socket on port 80 to handle http request, and a ssl socket on port 443 to deal with https...how can some proxy provide access to both of them on the same port??
I found only this link but it wasn't very useful. Can you provide me an erlang example or suggest me some resources from which i can learn more on the topic?
Thanks in advance
how can some proxy provide access to both of them on the same port??
By implementing the HTTP CONNECT method, the (non-transparent) proxy may switch to providing a TCP tunnel over which a browser may, for example, access an HTTPS resource.
A rather sparse specification:
https://www.rfc-editor.org/rfc/rfc2616#section-9.9
As outlined in the link you provide, you will need to write your own custom server that sniffs the request and then redirects to the correct protocol accordingly.
As http://www.faqs.org/rfcs/rfc2818.html indicates, an HTTP session will start with an Initial Request Line (e.g. GET /), whereas a TLS session will start with a ClientHello (more on the TLS session on wikipedia)
There are lots of resources online about writing servers in Erlang, e.g. How to write a simple webserver in Erlang?
Incidentally your terminology is incorrect: http, https SSL and TLS are protocols, and all operate (over the web) using TCP sockets.