I'm developing a client/server Winforms application. Clients connect to server using internet and use WCF's netTCPBinding to talk to server.
Communicating in a secure channel is very important for me and since NetTCP binding is secured by default with TLS, it seems like I don't have to do anything. Do I?
How can I monitor the encrypted data sent/received between my client/server in localhost? I used RawCap to capture data and opened the dump file in Wireshark. But I don't know how I should check for TLS security in packets. dump file is full of unkown TCP packets (not from my software) with vcom=tunnel info for most of them.
TCP binding security element is set to Transport by default. This indicates requirement that transport session must be encypted. If you cannot establish TLS session service will reject the call.
You can use something like TCPMon which will show TLS traffic albeit encrypted. Also there is SSLDump
Related
I am developping a FTPS client in a Embedded system with LWIP and mbedTLS stacks.
For now, what I do is :
Get an IP adress with DHCP
Get IP address of the server with DNS
Start a TCP connection to the server ( the control connection)
Telling the FTP server that I want to work with the TLS protocol with the command AUTH TLS
Handshake of the TLS protocol with the server
Validate the x509 certificate that the server sends
Telling the client that I want to work in passive mode and that i want to read a file with the command RETR.
Now, I need to open a data connection to read my file. So what I wanted to know is does the data connection is secured in the same way the control connection is ? That means do I have a certificate to validate ? Is the handshake the same ?
If this isn't clear let me know i'm not an expert at all in this area.
Thank you for your future responses
In explicit FTPS connection after you send AUTH command, the data connection is secured all the way. Depending on Active/Passive connection the data connection is opened through port 20(Active) or some random port negotiated(Passive).
You don't need any extra handshakes as far as I know.
You might or might not be able to configure if you want to reuse the same session ID created in opening the control channel. This is related for server to know that data connection has been established by the same client which opened the control channel. Some server require this, some servers allow this, some servers does not support this.
I have two processes communicating with each other using IIOP over SSL (with JacORB). How do I verify that the message packets are actually encrypted?
You can use wireshark to record and view all traffic and inspect the packets on the network.
I have some small questions of which I think they're quite easy to answer for a WCF expert, but which I don't exactly know. I'm hoping they're not to obvious:
Does transport security (http with
ssl) work in conjunction with
streaming? If no, how can I transfer
large data in a secure way to the
client?
If I am not completely off the track
an IDuplexSessionChannel requires
the client to open a port too, so
that the service can contact the
client via a callback. Does this
also affect an IDuplexSessionChannel
which comunicates via http? Port 80
should be open by default, shouldn't
it?
Yes streaming works with HTTPS (basicHttpBinding).
Yes duplex session channel requires port opened on the client because duplex communication over HTTP really means one connection from the client to the server and one reverse connection from the server to the client. Port 80 doesn't have to be opened by default on the client - if it is, it is most probably already associated with some web server so it cannot be used for the communication. Duplex communication is also WCF specific (it is not interoperable) and it leads to other consequences. For example in Windows Vista \ Windows 7 \ Windows 2008 Server with UAC you must run the client with elevated privileges or allow listening on the port by using netsh command line utility.
I'm not sure how these two questions are related but wsDualHttpBinding (implementation of IDuplexSessionChannel) doesn't support streaming or transport security.
All,
It is possible to use IIS (or similar) to handle the ssl side of https communications. Is there something similar that can handle the ssl side of a TCP/IP message?
Basically I have a client device sending a non-http message over a TCP connection and want a server that can handle the crypto and certificate side of SSL for me and forward the plain text on to another server.
The openSSL s_server command seems correct but the documentation states "It's intended for testing purposes only" while I need something robust. Is the documentation out of date?
Thanks,
Patrick
You are after the stunnel program:
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
I don't think the documentation is out of date. "For testing purposes only" is their release from liability.
It sounds like you want an SSL tunnel. You could setup a tunnel to the SSL server, send the packets through the tunnel, and then have that server forward the result on. There are lots of tutorials on using SSH to setup tunnels over SSL.
I need to create a self-hosted WCF service.
I need secure duplex connection between client and server through Internet.
I read some documents of WCF and found that the netTcpBinding is suitable for intranet application, because the SSL is only point 2 point. If it is an internet application, the connection must not be point 2 point, am I correct? so SSL in transport security with netTcpBinding is not suitable?
so what combination should I use to create a secure duplex internet application?
thank you very much.
I have tried http://www.codeproject.com/KB/WCF/WCFWPFChat.aspx
this tutorial use netTcpBinding and endpoint localhost
I change the endpoint localhost to a name based url, forward a port in my router to my development PC, open the same port at Windows firewall.
The client program can chat with each cients program in different machines, BUT the callback connection will lost after one minute.
I also tried changing the binding to wsDualHttpBinding, the clients program can chat with each clients in the same machine and kept the callback connection in the reliableSession inactivityTimeout setting. However another client program in another machine cannot join the server, if I turn off Windows firewall on that machine, the client program can connect.
It seems that tcp binding can let the client program connecting to the server with Windows firewall turn on. but callback connection lost.
and the wsDualHttpBinding can keep the callback connections. but cannot connect to server if Windows firewall on.
Is there a way to kept the netTcpBinding callback connection as in the wsDualHttpBinding?
It sounds like you have two issues- duplex connection and security.
If you truly need a duplex connection (eg, server-initiated callbacks), neither of these will work very well over the internet unless you have very fine control over the firewalls on both ends (the client still has to expose a publicly accessible HTTP endpoint for the server to call back). The best way would be to use the new relay services with .NET 4.0- this allows for a mimic'd server-initiated connection through firewalls.
EDIT: this is now called AppFabric, and is part of the Windows Azure infrastructure
On the security front, you can always use message security over the service bus, but I don't see a reason why transport security would be a problem either.
To answer user248724,
The client program can chat with each
cients program in different machines,
BUT the callback connection will lost
after one minute.after one minute.
You need either have the client or the server to ping each other at least every minute to keep the connection socket alive.