I've done thorough research on my problem and have read many other posts/blogs but their solutions didn't solve mine. I was hoping someone could help.
I have a very simple WCF service that uses WsHttpBinding Transport Security with Mutual Certificate Authentication. The server certificate is self-signed certificate and I have confirmed I have the certificate in the trusted store on the client machine. The server has the client certificate (also self-signed) in the trusted certificate store and I have already verified that I can mutually-authenticate to the service fine using SOAPUI client.
However, I'm not able to do so using the WCF client I created. On the WCF client, I've set the client certificate by calling the channel factory's Credentials.ClientCertificate.SetCertificate(...) method and I've also added
ServicePointManager.ServerCertificateValidationCallback +=
( sender,
certificate,
chain,
sslPolicyErrors ) => true;
to bypass all possible server certificate problems but I always get: Could not establish secure channel for SSL/TLS with authority server.com.
Can someone please suggest to me what might be the problem and/or what I should do to get this working? Any help is appreciated.
Thanks.
try this to see if this is only a problem with the certificate trust chain:
http://webservices20.blogspot.com/2008/12/wcf-gotcha-disabling-ssl-validation.html
Related
WCF service installed on two servers and accessing that service through load balancer. We have domain validation certificate which is installed on load balancer. WCF client is giving error "Could not establish secure channel for ssl/tls authority" while adding service reference but SOAPUI is able to access service.
I am not sure what is causing this issue. Any help will be appreciated.
Thanks in advance.
The root cause is the account running the WCF client application failed to access the private key of the client certificate.
The reason we should establish the secure channel for SSL authority is that the communication between the server-side and the client-side works over https, therefore, these two sides should exchange the public key of the certificate. After that, the private key of the client certificate will be used to unencrypt the https message so that the https traffic would work properly. Likewise, the server account also should have access to the private key of the service certificate.
Please refer to the below steps to add the Everyone account to the management group of the private key of the client certificate so that the client account can access the private key properly.
Feel free to let me know if there is anything I can help with.
Designed a svc that will be intermittently consumed by one known customer application across the internet.
Know next to nothing about security so started digging.
Figuring from what I have found;
SSL security transport layer fits.
Self Signed certificate and send public key to client is required.
Am I on the right track or is there a flaw in my logic.
thanks
Bob
You are on the right track
A SSL Certificate helps you do two things:
That the client knows who the server is
That the communication between the client and the server is encrypted
With a self signed certificate you are not sure who signed the certificate, but it works fine for encryption.
The client must trust the certificate, so with a self signed, the client must place the certificate in its list of trusted certificates.
What is the advantage of using a trusted certificate instead of self-signed for message security in WCF?
As far as i understand it's only used for encryption, not really validating the identity.
Depends, if you use an SSL certificate to offer the WCF Service in https then it's used for encryption, and the client could require it to be trusted (or not).
If the WCF Service Requires the client to sign the request, it is only used for Validation/Verification - and then you will certainly need a trusted certificate.
(The client certificate is then configured as an <endpointBehavoir>)
The problem is you cannot really trust the message unless you trust the issuer. Message security implies encryption and signature. If the certificate is not signed by a trusted issuer, there is a much higher risk that the security infrastructure is not reliable:
are certificate properly stored?
who is able to issue certificates?
...
A valid certificate is one of the first steps to secure your infrastructure.
Think of it as if anyone was able to create his own ID card, how would you trust someone then?
We have a typical client-server WCF service and I would like the following:
Client passes a certificate to the Server through the ClientCredentials property
Server looks at the certificate and see's that it has been issued by our trusted certificate authority
The client is rejected if they use a certificate that is not issued by our CA.
The client has a clientAuthentication certificate installed, along with our trusted CA.
The server has our trusted CA certificate installed. I dont want to install any other certificates.
I am flexible on the binding, however it does need to work in a web scenerio.
I thought about using BasicHttpBinding with TransportCredentialOnly, however it doesnt support certificates :(.
Ive tried using wsHttpBinding in Message mode, however that requires a ServerCertificate to perform server authentication and message encryption... which I dont want!
Is there any built-in way to achieve this?
All build in bindings allow using client certificates only when server certificate is used - mutal certificate authentication and security. To support your scenario you will have to handle it completely yourselves. If you want to inject your authentication mechanism to WCF you will have to do custom token and custom credentials.
So I have a WCF service where I have various parts of the service contract with a ProtectionLevel of Sign. I set the credentials on the client side by choosing a certificate from the certificate store. This is fine.
However ....
Does this client certificate need to be in the 3rd party certificate store on the server for this to work?
If this is the case how can I configure a service which accepts any client certificate?
And finally how do I access the signing certificate within the implementation of the operations which require signed messages? Just the signing certificate subject name would do fine!
Thanks
Ah the joy of self answering.
So
"It depends". If you have
ChainOrPeer validation then both the
chain or the presence of the
certificate in the trusted people
store results in success. Only
validating on chain obviously checks
the chain, setting Peer validation
uses the store, and None lets
everything through.
Set the validation mode to none
The SecurityContext for the request
contains an X509CertificateClaimSet
which in turn exposes the
certificate itself.