Thursday, 22 January 2009

WCF Security and Certificates

It turns out, you can't do Message level authentication without a Certificate involved to identify the server as the server..
and then because I don't have a bona-fide bought and paid for Certificate for my server, it still fails with arcane errors until you add a magic line to the config file on the client saying "trust any old certificate -- we're not fussy!"
On the server config, I needed this line :
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
so I'll need to tweak those values somehow and right now on the client to avoid the "trusted certificate" issue, I needed :
Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate
is in the user's Trusted People store, then it will be trusted without performing a
validation of the certificate's issuer chain. This setting is used here for convenience so that the
sample can be run without having to have certificates issued by a certificate authority (CA).
This setting is less secure than the default, ChainTrust. The security implications of this
setting should be carefully considered before using PeerOrChainTrust in production code.
<authentication certificateValidationMode="PeerOrChainTrust" />
Certificate Validation Differences Between HTTPS, SSL over TCP, and SOAP Security
You can use certificates in Windows Communication Foundation (WCF) with message-layer (SOAP) security in addition to transport-layer security (TLS) over HTTP (HTTPS) or TCP. This topic describes differences in the way such certificates are validated.
When using HTTPS to communicate between a client and a service, the certificate that the server authenticates with must support chain trust by default. That is, it must chain to a trusted root certificate authority. No online check is performed to see whether the certificate has been revoked. You can override this behavior by registering a RemoteCertificateValidationCallback callback, as shown in the following code:
ServicePointManager.ServerCertificateValidationCallback +=
new RemoteCertificateValidationCallback(ValidateServerCertificate);
where the signature for ValidateServerCertificate is as follows:
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)

No comments: