Reputation:
Implementing secure webservice calls in c# (window)
I have client application that needs to talk to remote webservice secured by TLS1.1. I am wondering how I am supposed to configure my server and client certificates to make it work. We got following sample from webservice vendor:
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
and then
WebServiceProxy.AddClientCertificate(cert, password);
As far as I understand this is terrible idea that disables certificates, for whole application. As far as I understand, there should be no tls/ssl configuration in application, I should just install my certificates in correct stores, and then http.sys should negotiate them during handshake. Am I correct?
AFAIK remote webservice certificate should be in Third-Party Root Certification Authorities and my client certificate should be in Client Authentication store. Am I correct?
Upvotes: 0
Views: 119
Answers (1)
Reputation: 8877
You are correct.
In an ideal world you would install client certificate into you CurrentUser\My or LocalMachine\My store. Intermediate CA certificates would be fetched using AIA from client certificate and Root CA certificate would already be in Trusted Root store. The same would apply for server certificate so everyone would be working and happy.
The code that you got from webservice vendor
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
disables validation of certificates. You are vulnerable to MitM attacks but the communication is still encrypted :)
I don't know why would anyone have this code applied. Maybe webservice vendor is using some custom CA that is not public, CRL endpoints are not public or something similar.
You can set TLS1.1 in your client using this code
ServicePointManager.SecurityProtocol = (SecurityProtocolType)LocalSecurityProtocolType.Tls11;
/// <summary>
/// Imported from .NET 4.6.1 : Specifies the security protocols that are supported by the Schannel security package.
/// </summary>
[Flags]
public enum LocalSecurityProtocolType
{
/// <summary>
/// Specifies the Secure Socket Layer (SSL) 3.0 security protocol.
/// </summary>
Ssl3 = 48,
/// <summary>
/// Specifies the Transport Layer Security (TLS) 1.0 security protocol.
/// </summary>
Tls = 192,
/// <summary>
/// Specifies the Transport Layer Security (TLS) 1.1 security protocol.
/// </summary>
Tls11 = 768,
/// <summary>
/// Specifies the Transport Layer Security (TLS) 1.2 security protocol.
/// </summary>
Tls12 = 3072
}
Upvotes: 1
Related Questions
- Easiest way to call an Asp.Net webservice via https in a win forms app?
- How to call web service with client certificate from C#?
- Implement a C# Client that uses WebServices over SSL?
- Using certificate file to connect to webservice over SSL
- Communicating via https within a c# web service
- Calling a web service with a certificate
- Calling a https web service (C#)
- Call WebService from C# application using SSL
- How to Consume a WebService(created by C#) using Https protocol
- Call web service over https