[Mono-dev] self hosted WCF service with client certificates?

Darkness peter.speybrouck at gmail.com
Sun Nov 8 13:05:25 UTC 2015


Hi,

I initially asked in the mono-general list, but was suggested to post here.

I currently have the following up and running without issues:
* self hosted WCF service, compiled with .Net/Visual studio 2013, running on
Linux+mono 3.12.0
* WCF service uses basicHttpBinding with transport security (self-signed
certificate with rootCA certificate)
* WCF client running on windows/.Net 4.0 with corresponding basicHttpBinding
configuration


The client can connect and communicate with this service (client currently
ignores the certificate error due to self-signed certificate -
ServicePointManager.ServerCertificateValidationCallback)

However, I would like to add client certificates to this setup to be able to
identify clients on the server side for client-specific handling. 

When debugging the service and client in Visual studio on .Net 4.0,
everything seems to work, and the service can also get the certificate from
the client to do some extra checks for access.

With the configuration mentioned below, running the service running on
linux+mono 3.12.0, it does not seem to work as expected.

The client can still connect and communicate with the service running on
linux+mono, but the service is unable to get the client certificate (as if
there is none) and lets the client do it's thing.


After investigating, it seems that
OperationContext.Current.IncomingMessageProperties.Security.ServiceSecurityContext
is null where this is not when running on .Net.

It seems as if basicHttpBinding does not support client certificates on mono
and instead just lets everything pass as if it was authenticated...

I could not really find if basicHttpBinding supports client certificates or
not, so it's a little unclear if this is possible at all. The WCF status
page also does not clearly indicate if it is implemented or not:
http://www.mono-project.com/docs/web/wcf/

If this is not implemented, is there another type of binding that does
support https+client certificates?
Right now I was trying with transport security but message security is also
acceptable if this would be an option.


Some code snippets for some more details:

Serverside config:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;                
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
ServiceHost serviceHost = new ServiceHost(typeof(DataService));
serviceHost.AddServiceEndpoint(typeof(IDataService), binding,
"https://localhost:9902/DataService");

serverside code to get client certificate:

var cert =
((System.IdentityModel.Claims.X509CertificateClaimSet)OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets[0]).X509Certificate;

Clientside:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
ChannelFactory<IDataService> factory = new
ChannelFactory<IDataService>(binding, "https://localhost:9902/DataService");

factory.Credentials.ClientCertificate.SetCertificate(
        StoreLocation.CurrentUser,
        StoreName.My,
        X509FindType.FindByThumbprint,
        clientCertificateThumbprint);

IDataService proxy = factory.CreateChannel();



Edward Ned Harvey pointed me to this blogpost
(http://tirania.org/blog/archive/2015/Aug-27.html ) and the recent messages
from Martin Baulig about the current work on SSL/TLS, but until now, I
didn't see how exactly this would apply to the above, since I am not
directly using HttpWebRequest or SslStream.

Is there a WCF binding that does support client certificates on mono?
If not, is there a workaround somehow?

Right now, I'm running on mono 3.12.0, but I can upgrade to 4.x if
necessary.



--
View this message in context: http://mono.1490590.n4.nabble.com/self-hosted-WCF-service-with-client-certificates-tp4666904.html
Sent from the Mono - Dev mailing list archive at Nabble.com.


More information about the Mono-devel-list mailing list