I'm currently working on a self hosted server that will be installed on xp embedded for our hardware. We have two ethernet ports one for a local connection that is always 192.168.150.10 and another that can be used to connect with the end users network (dhcp).
So far I've been able to get the host working by using 0.0.0.0 and now I'm looking to secure it with ssl. I've tried the few samples here and a bunch from stackoverflow with no luck. I figured that I should at least be able to connect via a browser to the
server. In chrome I get Error 107 SSL protocol error.
public class MyHttpSelfHostConfiguration : HttpSelfHostConfiguration
{
public MyHttpSelfHostConfiguration(string baseAddress)
: base(baseAddress)
{
}
public MyHttpSelfHostConfiguration(Uri baseAddress)
: base(baseAddress)
{
}
protected override System.ServiceModel.Channels.BindingParameterCollection OnConfigureBinding(System.Web.Http.SelfHost.Channels.HttpBinding httpBinding)
{
if(BaseAddress.Scheme == Uri.UriSchemeHttps)
{
// we need to use SSL
httpBinding.Security = new System.Web.Http.SelfHost.Channels.HttpBindingSecurity()
{
Mode = System.Web.Http.SelfHost.Channels.HttpBindingSecurityMode.Transport,
};
}
return base.OnConfigureBinding(httpBinding);
}
}
This is my latest test:
var config = new MyHttpSelfHostConfiguration("https://0.0.0.0:8902/");
config.Routes.MapHttpRoute("DefaultApi", "api/{controller}/{action}/{id}", new
{
action = "Get",
id = RouteParameter.Optional
});
try
{
byte[] c = Certificate.CreateSelfSignCertificatePfx(
"CN=192.168.150.10:8902", //host name
DateTime.Parse("2012-01-01"), //not valid before
DateTime.Parse("2050-01-01"), //not valid after
"mypassword"); //password to encrypt key file
using(BinaryWriter binWriter = new BinaryWriter(File.Open(@"testcert.pfx", FileMode.Create)))
{
binWriter.Write(c);
}
var cert = new X509Certificate2(@"testcert.pfx", "mypassword");
config.ServiceCertificate.Certificate = cert;
//config.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "6e8f902ff79e78ec5fe2e5fd721048d51bfcd490");
}
catch(Exception ex)
{
container.Resolve<ILog>().Error(ex);
}
Am I on the right track? Is just installing a cert from makecert not enough, or maybe I'm missing a crucial step?
Could we just have the cert file on the filesystem and load it similar to the way I'm doing it above? This would make upgrade/installation much easier.
Because I only know the 192.168.150.10 address I figure I'll need to settle for a self signed. How could I allow the end user to use their own ssl cert if they wanted to instead of using our self signed one?
We have our own client so do I need to include the self signed cert with it to enable correct communications?
knoxcoder
0 Points
3 Posts
Self host SSL
Apr 03, 2012 02:28 PM|LINK
I'm currently working on a self hosted server that will be installed on xp embedded for our hardware. We have two ethernet ports one for a local connection that is always 192.168.150.10 and another that can be used to connect with the end users network (dhcp). So far I've been able to get the host working by using 0.0.0.0 and now I'm looking to secure it with ssl. I've tried the few samples here and a bunch from stackoverflow with no luck. I figured that I should at least be able to connect via a browser to the server. In chrome I get Error 107 SSL protocol error.
public class MyHttpSelfHostConfiguration : HttpSelfHostConfiguration { public MyHttpSelfHostConfiguration(string baseAddress) : base(baseAddress) { } public MyHttpSelfHostConfiguration(Uri baseAddress) : base(baseAddress) { } protected override System.ServiceModel.Channels.BindingParameterCollection OnConfigureBinding(System.Web.Http.SelfHost.Channels.HttpBinding httpBinding) { if(BaseAddress.Scheme == Uri.UriSchemeHttps) { // we need to use SSL httpBinding.Security = new System.Web.Http.SelfHost.Channels.HttpBindingSecurity() { Mode = System.Web.Http.SelfHost.Channels.HttpBindingSecurityMode.Transport, }; } return base.OnConfigureBinding(httpBinding); } }This is my latest test:
var config = new MyHttpSelfHostConfiguration("https://0.0.0.0:8902/"); config.Routes.MapHttpRoute("DefaultApi", "api/{controller}/{action}/{id}", new { action = "Get", id = RouteParameter.Optional }); try { byte[] c = Certificate.CreateSelfSignCertificatePfx( "CN=192.168.150.10:8902", //host name DateTime.Parse("2012-01-01"), //not valid before DateTime.Parse("2050-01-01"), //not valid after "mypassword"); //password to encrypt key file using(BinaryWriter binWriter = new BinaryWriter(File.Open(@"testcert.pfx", FileMode.Create))) { binWriter.Write(c); } var cert = new X509Certificate2(@"testcert.pfx", "mypassword"); config.ServiceCertificate.Certificate = cert; //config.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "6e8f902ff79e78ec5fe2e5fd721048d51bfcd490"); } catch(Exception ex) { container.Resolve<ILog>().Error(ex); }It uses this example: http://stackoverflow.com/questions/695802/using-ssl-and-sslstream-for-peer-to-peer-authentication but I've also tried installing the cert with mmc.
Questions:
panesofglass
Member
730 Points
237 Posts
Re: Self host SSL
Apr 03, 2012 05:03 PM|LINK
Does this configuration type from WebApiContrib help? https://github.com/WebApiContrib/WebAPIContrib/blob/master/src/WebApiContrib/SelfHost/SslHttpSelfHostConfiguration.cs
knoxcoder
0 Points
3 Posts
Re: Self host SSL
Apr 03, 2012 05:17 PM|LINK
No, that's actually the same as what I have in the "MyHttpsSelfHostConfiguration" class.
dbaier
Member
264 Points
66 Posts
MVP
Re: Self host SSL
Apr 04, 2012 10:35 AM|LINK
The ServiceCertificate property is misleading - and i think just a bug.
the WCF host relies on the OS port -> SSL certificate mapping.
1) use netsh to register the namespace, so your service doesn't need admin privileges ;)
2) use netsh to map a SSL certificate to the port you want to use
This tool makes the process less painful:
http://www.stevestechspot.com/downloads/httpconfig.zip
dominick
_____________________________
Dominick Baier - http://www.leastprivilege.com