SSL Programming (3). NET implement SSL service side

Prepare a digital certificate for development

General Learning and development debugging occasions, will not casually use the formal SSL server certificate private key. Because server authentication is required for SSL, the SSL server must have a server certificate that is able to access the private key of the certificate. For SSL that requires client authentication, the client has the same requirements, and the client needs to have a digital certificate corresponding to its claimed identity.

There is a command-line tool in the Windows SDK that makes a temporary digital certificate for test development: Makecert.exe. This tool is also included in Visual Studio. Open the SDK or Visual Studio Command Prompt window and enter the following command:

Makecert–ss "MY"

A new digital certificate is created in the current user's personal certificate store, and the certificate uses "All", which can be used for both server authentication and user authentication. The certificate named Joe ' S-software-emporium is generated by the MakeCert command, which we then use for server-side authentication. We then create a certificate named Test2, which will be used later for client authentication. Generate a certificate command with the name Test2 as follows:

Makecert-n "Cn=test2"-ss "MY"

Here, the SSL server side and the client side of the certificate are all ready. It is important to note that both certificates are currently not trusted by the system, and we will discuss the processing of the certificate trust in the following programming debugging process.

SSL service-side implementation

The SSL Server Example 1 function is to wait for the client's SSL handshake request on port 443, after the SSL handshake succeeds, receives the client's data, and then sends a reply data to the client.

The first is to implement the TCP server, use a TcpListener object to start listening, wait for the connection, and accept the connection to get a TcpClient object that is peer to the client. This is a little bit more complicated than the TCP client. It is not detailed here, and it is not clear that readers can read the reference materials related to TCP server-side programming. The code snippet is as follows:

TcpListener listener = new TcpListener (ipaddress.any, 443);

Listener. Start ();

while (true)

{

Console.WriteLine ("Waiting for a client to connect ...");

The application blocks here until a client initiates the connection.

TcpClient client = listener. AcceptTcpClient ();

Processclient (client);

}

When the code runs to processclient, the server already has a TCP connection represented by a TcpClient object. Here, at the network communication level, the server and the client become equivalent. We use the IO stream from the server-side TcpClient object to construct an SslStream object that handles the SSL protocol. The difference between a server and a client is that it calls the AuthenticateAsServer function, sets itself as SSL service-side mode, and enters the wait-to-end as the client initiates an SSL handshake. The AuthenticateAsServer function must have a server certificate as input and load the server certificate code snippet named Joe ' S-software-emporium as follows:

X509store store = new X509store ("MY", Storelocation.currentuser);
Store. Open (openflags.readonly);
X509Certificate2Collection storecollection = (x509certificate2collection) store. Certificates.find (X509findtype.findbysubjectname, @ "Joe ' S-software-emporium", false);
Servercertificate = storecollection[0];

Enter the obtained Servercertificate object as the server certificate and start the SSL service side:

SslStream SslStream = new SslStream (

Client. GetStream (), False,

New Remotecertificatevalidationcallback (validateclientcertificate));

Authenticate the server but don ' t require the client to authenticate.

Try

{

Sslstream.authenticateasserver (Servercertificate,

False,//This parameter determines whether the client needs to be presented with a digital certificate to authenticate the client.

Sslprotocols.tls, false);

Display the properties and settings for the authenticated stream.

After the connection is established, the server calls SslStream's read, write function for secure data processing.

SSL connection Test

We still use the previous simple SSL client example 1 to modify the destination address and port connection to SSL server Example 1. The client immediately reports that the certificate presented by the server is invalid and ends the SSL handshake.

The code executes as follows:

The program output is:

If we forcibly let the client be responsible for the certificate verification function Validateservercertificate return True, the SSL handshake can be completed, the subsequent encryption data can be sent and received. However, doing so means that the client will accept any server certificate, so that the SSL client program is in an unprotected state against the SSL man-in-the-middle attack. We're not going to provide such a bad example here, the impatient reader can change it by itself and change the breakpoint code directly to return True, and it's done. It should be remembered that such validateservercertificate code can only be used for SSL programming learning to play, and must not be used in any formal product! Alternatively, the developer forcibly makes the computer trust the CA that issued the test certificate, and the client Example 1 completes the SSL handshake, but this means that the system trusts a test CA, which compromises the public key trust of the entire computer, which we do not do here.

Although the simplest SSL client Example 1 cannot connect to this server, the server-side code is complete for SSL services that do not require client authentication. If a server-side load is a valid server certificate issued by a publicly trusted CA such as VeriSign, client Example 1 will be able to connect properly and complete the encrypted sending and receiving of the data.

Because most readers will not have such a server certificate, client Example 1, a secure SSL client that trusts only the system-trusted certificate, denies establishing an SSL connection with the SSL server that uses the test certificate. The appropriate treatment of this problem, we will give a more thorough discussion at the back.

SSL Programming (3). NET implement SSL service side