I have several WCF services that each except several parameters. The service uses transport security over https. If fiddler is sniffing on the computer it can see all parameters sent to the service. Is there a way to protect the data?
Yes there is a way: you will not trust Fiddler certificate.
Fiddler works like HTTPS proxy so your client is not connecting with HTTPS to the service but to the Fiddler and Fiddler makes a new HTTPS connection to the service. Because of that Fiddler has all content decrypted.
To allow this scenario your service must trust Fiddler certificate (self-signed) because otherwise your service would refuse the connection to the Fiddler. Once you allowed Fiddler to install its certificate to your certification store it can capture and decrypt messages.
Related
I'm having a .net core API and an EmailService as a connected service (WCF)
The EmailService is hosted on IIS (HTTPS); I'm trying to connect to the emailService with a Client Certificate. Everything is fine but i'm getting the
The HTTP request was forbidden with client authentication scheme 'Anonymous' error;
On the EmailService side:
The SSL Settings are on Require SSL (Require), the IIS Binding is on HTTPS
On the API side:
When i'm trying to access the emailservice by chrome browser, i'm getting a prompt for a client certificate, i'm picking the cert and everything works alright;
Any suggestions?
Thanks
I am not sure if you can call the service properly since WS-security is not supported in DotNet Core. Anyway, this error typically indicates that the client’s certificate cannot be recognized by the server-side when establishing the Https communication. Also, if your client communicates with the server over HTTP and the server requires SSL, this kind of error also occurred.
The Https secure communication between the client-side and the server-side can not be established properly. As you know, the https secure communication requires the procedure of exchanging each other’s public key of the certificate. Therefore, the server-side and the client-side should establish mutual trust. In other words, the server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server. The specific operation is to install the certificate in the local Trusted Root Certification Authorities.
Please refer to the below link.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
Besides, the client-side should have access to the private key of the certificate provided by the client so that the https secure communication is valid. The specific operation is to add the current user to the private key management group of the certificate.
Feel free to let me know if there is anything I can help with.
Configuration:
Iis web app with require ssl and accept client certificates.
Web app contains wcf service.
Requesting a page from web app works as wel as requesting the wcf svc
Calling wcf from wcf client give 406.13 with same client certificate send.
Same setup works on development and several other production servers.
Checked cert store trusted root for illegal certificates. ( issued by <> issued to )
Applied reg setting schannel (from MS solutions).
How is this possible that browser requests do not fail but wcf requests do?
Must be something iis or windows related as same code works on other machines.
Any way to get more info why it thinks the client certificate is not trusted.
P.s. the wcf service method is never entered ( as my own tracing shows nothing)
Maybe this SO answer might be of some help. CAPI2 event log is the place where you should find more information why WCF considers the client certificate not trusted. Enable it both on the client side and also on the server side.
What is the difference between Client Cert and Service Cert props in the security tab of WCF-BasicHttp, WCF-WebHttp adatpers based recv and send ports and how they are used by BizTalk for SSL authentication?
The documentations are not that specific.
How to Configure a WCF-WSHttp Send Port
Seems reasonably clear in that article to me
The Client Certificate is the one you hold the private key for and is used for signing your messages so the recipient can verify who you are.
certificate for authenticating this send port to services
The Service Certificate is the public key of the service you are connecting too. This way it can verify that you are connecting to who you think you are connecting too.
certificate for authenticating the service to which this send port sends messages
This is not required "The default is an empty string." however it is a security feature that prevents someone successfully being able to spoof the web service and intercepting your payload if they manage to poison the DNS entry.
I am having an issue where service calls that I am making cannot validate server certificates presented by the TMG as part of connecting to the service. The certificate URLS from the TMG address are not reachable from the target servers. This is causing 30 second timeouts for new connections.
Is there a way to disable certificate revocation checks in Mule to avoid this issue?
If you're talking about Mule HTTP endpoints, then this would vary, if you're using http transport you can create a custom message dispatcher and allow http client to ignore the certificates, otherwise you can manually install the certificates in the keystore so you don't get SSL errors.
I have successfully configured a WCF service that uses mutual certificate authentication with a WCF client over SSL.
For the mutual authentication over HTTPS the client and server both have certificates, and have exchanged their public keys out of band, so WCF is explicitly checking the client or server respectively to make sure the right certificate is used.
Problem:
I now need to expose an HTTP endpoint for a PHP client where the message will be encrypted manually at the client and decrypted manually at the WCF service.
Initially I had the 'Require SSL' setting set to 'Require' in IIS 7, but now I tried to change that to 'Accept' so that IIS would accept the non-https traffic and configured another wsHttpBinding endpoint with no security on the service. Both endpoints have relative addresses.
I am getting the following error:
The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'SslNegotiateCert'.
Is what I am attempting to do possible with WCF and IIS? I thought it would be relatively simple to set up an additional endpoint with a different binding.