WS basichttpbinding Security Resolution (7) certificate authentication (iis host)

This section uses the transport security mode for certificate authentication because the transportcredentialonly mode does not support certificates.

Certificate authentication requires the client or server to provide a certificate for identity authentication. First, create two certificates on the command line of vs2010 using the commands shown in 11-42 for the server and client respectively.

Figure 11-42 create a certificate

After the certificate is created, we add the Certificate Management Unit in the MMC console, and then transfer the two certificates to the trusted storage area, 11-43.

Figure 11-43 transfer a certificate to a trusted storage Zone

Description:

As shown in Figure 11-43, you can directly generate the certificate to the specified region on the command line. The main purpose here is to show you how to manage the certificate in a unified manner.

Because SSL links are used in Transmission security mode, we need to configure HTTPS binding for the site in IIS.

We re-create a certificate with the same name as the site --wcfservicewebsite.com, and then export it to the local device. Open IIS, switch to iis7.5 Server Management, and click server certificate to add a certificate to the server. Return to the service site management view, edit the site binding, and select the added certificate. Return to the site management view, click "SSL Settings", and select "require sll", 11-44.

Figure 11-44 website configuration requires SSL

At this time, the website will report that the certificate is invalid because the certificate generated locally has not been verified by the Authority, as shown in 11-45.

Figure 11-45 HTTPS link certificate Access Error

In this case, you can click the Red Cross on IE to install the certificate to a trusted authority, from 11 to 46, and from 11 to 47, as prompted.

Figure 11-46 select to install the certificate

Figure 11-47 install the certificate to a trusted root certificate authority

Refresh the site again. We can see that the lock header is verified, 11-48.

Figure 11-48 certificate verification

First, let's take a look at the communication in transport mode without setting client creden.CodeThe content shown in listing 11-100.

Code List 11-100 do not set client creden

 
<Bindings>
 

<Basichttpbinding>
 

 
<Binding 
 

 
Name= "Basicbindingconf">
 

 
<Security 
 

 
Mode= "Transport">
 

 
<Transport 
 

 
Clientcredentialtype= "NONE">
 

 
</Transport>
 

 
</Security>
 

 
</Binding>
 

 
</Basichttpbinding>
 

</Bindings>
 

 
......
 

The client makes corresponding adjustments based on the server, and then sets that metadata can be obtained through https, such as the code list 11-101

 
<Behavior Name= "Wcfhelloservice. servicebehavior">
 

 
<Servicemetadata 
 

Httpsgetenabled= "True"/>
 

 
</Behavior>
 

The client changes the endpoint address:

The <endpoint address = https://wcfservicewebsite.com/HelloService.svc.../>.

Run the test site. The result is 11-49.

Figure 11-49 test results in transport mode

From the results shown in Figure 11-49 combined with the server code, we can know that anonymous access is currently used. Does the transport layer ensure transmission security? The capture result of our Fiddler, such as the code listing 11-102.

Code List 11-102 data captured in transport mode

 
Connect wcfservicewebsite.com: 443 HTTP/1.1
 

HOST: wcfservicewebsite.com
 

 
Proxy-connection: keep-alive
 

 
The data sent represents an SSLv3-compatible ClientHello handshake. For your
 

 
Convenience, the data is extracted below.
 

 
Major version: 3
 

 
Minor version: 1
 

 
Random: 4E 07 11 12 D7 AE D1 35 94 52 CF ce B9 EA BF 8C 5B 4E B2 D4 86 0a BC
 

 
E6 D2 61 C4 97 BC 1C 11 da
 

 
Sessionid: empty
 

 
Ciphers:
 

 
[002f] tls_rsa_aes_128_sha
 

 
[1, 0035] tls_rsa_aes_256_sha
 

 
[1, 0005] ssl_rsa_with_rc4_128_sha
 

 
[000a] ssl_rsa_with_3des_ede_sha
 

 
[C013] tls1_ck_ecdhe_rsa_with_aes_128_cbc_sha
 

 
[C014] tls1_ck_ecdhe_rsa_with_aes_256_cbc_sha
 

 
[C009] tls1_ck_ecdhe_ecdsa_with_aes_128_cbc_sha
 

 
[C00a] tls1_ck_ecdhe_ecdsa_with_aes_256_cbc_sha
 

 
[0032] tls_dhe_dss_with_aes_128_sha
 

 
[1, 0038] tls_dhe_dss_with_aes_256_sha
 

 
[1, 0013] ssl_dhe_dss_with_3des_ede_sha
 

 
[1, 0004] ssl_rsa_with_rc4_128_md5
 

The content in the code list 11-102 is the request content sent by the client. fiddler does not display the original data, but it is sufficient to prove that the data is protected at the transmission level and encrypted for transmission, you can set Fiddler to decrypt SSL. the decrypted request data is shown in 11-in the code list.

Code List 11-103 actual request information

 
Post https://wcfservicewebsite.com/HelloService.svc HTTP/1.1
 

 
Content-Type: text/XML; charset = UTF-8
 

 
Vsdebuggercausalitydata:
 

 
Uidpo9b4edyyow5clt + 7ozgctooaaaaaqjlegwjqxkcz0d14i8iazdw + 0ozgjs5bgmw5e + f6yikacqaa
 

 
Soapaction: "http://tempuri.org/IHelloService/GetHello"
 

 
HOST: wcfservicewebsite.com
 

 
Content-Length: 133
 

 
Secondary CT: 100-continue
 

 
Accept-encoding: gzip, deflate
 

 
Connection: keep-alive
 

 
<S: Envelope 
 

 
Xmlns: S= "Http://schemas.xmlsoap.org/soap/envelope"> <S: Body> <Gethello 
 

Xmlns= "Http://tempuri.org /"/> </S: Body> </S: Envelope>
 

Now let's Configure the server and client certificates, respectively using the two certificates generated above. Next we configure the server certificate, such as the code list 11-104.

Code List 11-104 configure Server Certificate

 
<Servicebehaviors>
 

 
<Behavior 
 

Name= "Wcfhelloservice. servicebehavior">
 

 
<Servicemetadata 
 

 
Httpgetenabled= "True"/>
 

 
<Servicedebug 
 

 
Includeexceptiondetailinfaults= "False"/>
 

<Servicecredentials>
 

 
<Clientcertificate>
 

 
<Authentication 
 

 
Certificatevalidationmode= "Peertrust"/>
 

 
<Certificate
 

Findvalue= "Xclient"
 

 
Storelocation= "Currentuser"
 

 
Storename= "Trustedpeople"
 

 
X509findtype= "Findbysubjectname"/>
 

 
</Clientcertificate>
 

 
<Servicecertificate
 

 
X509findtype= "Findbysubjectname"
 

 
Storelocation= "Currentuser"
 

 
Storename= "Trustedpeople"
 

 
Findvalue= "Xserver"
 

 
/>
 

 
</Servicecredentials>
 

</Behavior>
 

 
</Servicebehaviors>
 

There is no difference between certificate configuration and nettcpbinding. I will not repeat it here. If you have any questions, refer to the previous article. After the server is configured, visit https://wcfservicewebsite.com/helloservice.svcto find the error 11-50.

Figure 11-50 certificate error not found

Occasionally, this error occurs when I perform a test on Windows 7. It may be caused by the cache mechanism in the certificate storage area. However, if I store the certificate on localmachine, I can quickly find it. This may be related to IIS hosting. I have not studied this in depth. If you encounter the same problem, try to put the certificate on the localmachine storage area.

Update the configuration of the test site. After the upgrade, the customer's configuration is shown in the code list 11.

Code List 11-105 client certificate Configuration

<System. servicemodel>
 

 
<Behaviors>
 

 
<Endpointbehaviors>
 

 
<Behavior 
 

 
Name= "Clientbehavior">
 

<Clientcredentials>
 

 
<Clientcertificate
 

 
Findvalue= "Xuanhunclient"
 

 
Storelocation= "Currentuser"
 

 
Storename= "Trustedpeople"
 

 
X509findtype= "Findbysubjectname"/>
 

 
<Servicecertificate>
 

 
<Authentication 
 

 
Certificatevalidationmode= "NONE"/>
 

 
</Servicecertificate>
 

 
</Clientcredentials>
 

</Behavior>
 

 
</Endpointbehaviors>
 

 
</Behaviors>
 

 
<Bindings>
 

 
<Basichttpbinding>
 

 
......
 

 
<Security 
 

 
Mode= "Transport">
 

 
<Transport 
 

 
Clientcredentialtype= "Certificate" Proxycredentialtype= "NONE">
 

 
</Transport>
 

 
</Security>
 

 
</Binding>
 

 
</Basichttpbinding>
 

 
</Bindings>
 

 
<Client>
 

<Endpoint 
 

 
Address= "Https://wcfservicewebsite.com/HelloService.svc"
 

 
Binding= "Basichttpbinding" 
 

 
Bindingconfiguration= "Basichttpbinding_ihelloservice"
 

 
Contract= "Helloservicereferenceforbasic. ihelloservice" 
 

Name= "Basichttpbinding_ihelloservice" Behaviorconfiguration= "Clientbehavior">
 

 
</Endpoint>
 

 
</Client>
 

 
</System. servicemodel>
 

In the configuration in code listing 11-, we change the endpoint's address attribute to HTTPS connection https://wcfservicewebsite.com/HelloService.svc and configure <authentication certificatevalidationmode = "NONE"/> so that the client does not verify the server certificate.

Start the test site and get the error 11-51.

Figure 11-51 inconsistent SSL configurations

The error shown in Figure 11-51 is that the service itself requires the client to pass the certificate, while the SSL setting of IIS does not set the client certificate as required. You can change the value by pressing 11-52 in the figure.

Figure 11-52 set IIS SSL

Now, run the test site again. The result is 11-53.

Figure 11-53 certificate verification successful

The returned certificate ID and verification type X509 in Figure 11-53 indicate that the server has successfully verified the client certificate.