2

I have a wcf service. The binding of the service is wsHttpBinding and the security type is message security. The service is hosted on IIS. The site binding on IIS is http(80). The service also has a certificate which is configured with a service behaviour.

Binding:

<wsHttpBinding>
        <binding name="maksServiceBinding" maxReceivedMessageSize="2147483647">
          <security mode ="Message">
            <message clientCredentialType="UserName" establishSecurityContext="true" />
          </security>
        </binding>
</wsHttpBinding>

Behaviour:

<serviceCredentials>
            <serviceCertificate findValue="xxxxName" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="xxx.xxx.xxxServiceUsernameValidator, xxx.xxx"/>
            <!--<clientCertificate >
              <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
            </clientCertificate>-->
          </serviceCredentials>

My service is working well but I have three questions:

1) How can I enforce my clients for these configurations: certificateValidationMode="ChainTrust" revocationMode="NoCheck" These configurations can be changed on client(ex: certificateValidationMode can be changed to None) but I do not want clients to change these configurations. (commented) does not work.

2) A client needs to add certificate to consume my service when the certificateValidationMode is ChainTrust. But if the client does not add certificate and change certificateValidationMode to None, client can consume the service. If I can not find a solution to prevent this, I will write custom certificate validation with X509CertificateValidator. Because the service messages can not be encrypted(unsecure).

3) I watch the requests and responses on the client side with fiddler2. I tried out two situations. First; the certificate is added and certificateValidationMode is ChainTrust. Second; the certificate is not added and certificateValidationMode is None. The requests and responses for both of the situations are same. Here the questions come. Are requests and responses encrypted? If they are encrypted, how can the second situation be? Because there was no certificate on the client. Can the certificate be stored on somewhere else like cache?

Fiddler2 output:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1" u:Id="_2">http://nvi.gov.tr/adres/IMaksCrudBusinessOf_Bina/Read</a:Action>
    <a:MessageID u:Id="_3">urn:uuid:e1ef9b1b-14c4-4952-b535-ff84a11b18b4</a:MessageID>
    <a:ReplyTo u:Id="_4">
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1" u:Id="_5">http://umuts/MaksServices/MaksBinaIslemleri.svc</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-11">
        <u:Created>2013-03-10T17:54:01.744Z</u:Created>
        <u:Expires>2013-03-10T17:59:01.744Z</u:Expires>
      </u:Timestamp>
      <c:SecurityContextToken u:Id="uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <c:Identifier>urn:uuid:ced2f798-d488-405d-9e4d-a9bce5acc8f5</c:Identifier>
      </c:SecurityContextToken>
      <c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-9" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <o:SecurityTokenReference>
          <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
        </o:SecurityTokenReference>
        <c:Offset>0</c:Offset>
        <c:Length>24</c:Length>
        <c:Nonce>vUN53uBYs3XxRkW30IRUGg==</c:Nonce>
      </c:DerivedKeyToken>
      <c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <o:SecurityTokenReference>
          <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
        </o:SecurityTokenReference>
        <c:Nonce>cJDYx++Xl28SaS57RPr/Og==</c:Nonce>
      </c:DerivedKeyToken>
      <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
        <e:DataReference URI="#_1"/>
        <e:DataReference URI="#_6"/>
      </e:ReferenceList>
      <e:EncryptedData Id="_6" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <o:SecurityTokenReference>
            <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
          </o:SecurityTokenReference>
        </KeyInfo>
        <e:CipherData>
          <e:CipherValue>Awdg0bBuWmrYzddiVm2TztRIvytluR/wUVfe329DiPk2kNVO1NI5RE4/Gol/3dyObGXbvBO9eFR1Y84gOAw6gwVue+BVRMqIlYxuVkSijXsWzp/Cz84nJN+paGnKtXMIlefdRC3y3G3AcN3TX8hzwoPM1BQttJ8YJQV8PK7Lbgv2YXX/9XzgIteeIgz5KzMWp+rJ0egGxdsKLkwE3jFbj+ncfiKX7qWoFhQgCz53FbNXvPMQ/QE7LBaqhEereX/U2+Dc8ku+D/eep9g5i6v9p0RPv2g5K4dT5UeLXIh5Whqh8fx9xSZY1WsV+RegePNIyXEf/meeN3FnnC8dyJENoxfKny0tWfkiXyLxtF6SHHAUh50VKPnsrdpJh+9yIfprCpLRSLqIAaRGPjiK+oZEnDSNI7q/ipFB8KHeJKi+b38VrfBC/4IqUL+BQ+AHfWyRS2yYsAXGBWsIBLzUU7AFsslpJb3Z5Q2Z7g5FpRNUKiIbvhPZ+1dLBdthYAP0JuiawX4WCq4Ew0UB6Rh6bH1OD5eqfEbetRzr4KJt/9VW585x/Opx24wAfP2ktC5Tl//Az6jz1PAOhotHDXUN6FCW5oG9ah93S2i/fHNpqeiJoVCWEOBR+v8ExJcgbC/EtH01TaoyMHS+UlpbzWZk1h5sC21rtqHVrWjy4s0ZupBiPWabfVwKzz0VJ4DCTbnnHdNcyryvAM6kS+6qOgZbf6pWDx5MqRp00l2+N3yFJWoOCjPWzCqRcL0WUHucrJhRvCzpzKy16mQuFyFrZwXJjYmSBFv41V1lP/uyV+1+WMRcAdezqDDaYOyRb15jizMXZD9YYRau89nre64UzsCDNpmt4heD+tqOIivsId4tteKg64umY3xPRRaD0beZDrfBm8SpXsgt7U1K/wd2R2Q4U0fVFKgYJPH/1W6ZgONd/skg6AZ1tRK4y2nDiQk+yV8F99j9ipk2iMgjhDxlNN20yA2Svz85i3wJqUp3Qh+Eksmre2rcuClE1GZPadAOWumJVuL8FsNjZ50jeTWwYUE3jYKxCFIs+05jeiRbBRrbhVCDSze/47to9sNNXyGrR0yxIYE5QI+fE7zbjalWXdSISD68cpuGUg+ne/+ABa3DMlxmj1DOD3DwlHpWFxWC4F2E/nQvd5cDczyru+hpEw6kObR1RhlZR8AWY1FDP7YotugGM3imPelrRR91+vYPjY74pz0XZX6KqIlUS70as8tKodrZejMxqK542pmsc1r1/NyOmr669++6EEt1U5gikO8LLuUyKw7IpI6cxqyIN1aKoMhpZktS3NS4paQdWxtJqS1mT0FgvpyxVurPliWh5nreb8/5/txrfVxvNjmbEEVDTdHIa4IzefPpX19ZQwYnWea5hGGBSS7q20VA3gXkQGmHxjyZl9Vm6xCqTXqI8HLk7+zOncUuzo8rsk6k/LoEhLKkVpSliwrMMZdOvAyY9mgpn55KWDpD4cTxli4KhosltOmZ4S+8cErMSwBUVqiB2DEMj2nPsOjM9wA1LnPsWj7yva84Fc5/zwLS+hUN40MFohtsu3+wj5eyXnoIbDmTGTLq4W/p8DFxZfgE50DLtNmy06TAz06lOzpXYViFwC/gJnhNrmn/a3l79QCIl+ldyOqbrsosSSCXqk7aLx6IvLiw5AugiH3lQXH6bjtPd3KoYXZiTbSdTNNDy+Q8d1uO8lDAsXClXdRqUuss8pPQJhVHUdvffr0AF//mpfiC1O5kSppTpJCjyhpZ7B+uHLKeehXuhvuGxyIsdb4NzPD+cjDhxwwdEFH2nUCOYLdIsqzSCluF3hovAFnCQ00wdqS2s/GTu+p+8d7VrYaau6Fv+B8/N3pBLBWIPjmEbKlmX70KaBAT2y3CEUG+nGmiqI649UXJ492A7s0bdTBVmetdTyAyvRsFucDi/ZswbTr4D4LrDNouYn+cI0cUoXOAJ5zv3xFGuYdeqsyaLIHP2y06P9RSHCACBvjZHwW3Kl4BUZOneTCAquFPgFdc8gcwXmx8uGaIgwdTx9H20FOq+VIacpr2sThZ4yxZdz6SPIejlOOyrL/oxgaqRi9Rkt+N91Z6U7/dK3Rl8SHjc0LQT3czL0MOtzwY5lq05FXhnSzpkXauQ9K8Qy83Nxfx5s8DT3tOyFOdTe308melK/3uRlvyQ5wJFqcd6u7+fQNqCsDJ3hQmHJqZCwRawJPcS1B9zlpo+9sT86Gz0HwUpSILHEHF0iBLg9X1yz6jZfeWc8qW1noFvnRI0aNkiypQSEbC/nR4AJp7KPsaD6bwK7+H3yX+p6Tqydyj4ckVQBP9jV3w0dfk5wQNaQIXyVEzr4/x9Jg4fb4CGK8gCTSFx8jPta8vjWRirf/LpYoFwF02S6llSGRJERIc/hR1FPLTn3gfx5sl5bqkpmk2U3hHSO0OR1fYU8Dcw2YJduxC3e8aHXOMVrkHx4N6hLT6a5EJy8N4W79vqo+6964ZC9nKxQk/l7UkgcEtogw5pnuZZn39elk4pAK51FsrAgnzNIpFoepOfBP3hLj3xGFSUDHmt50G+cAlxgl04Y2i/isecXDOxzMxWN7wpJjcgr25tju93Y2Bt+sR4Zs+mg4A2cSQ4LSrXrfQSPuKL0KeU60u9wJmQda/zT5NNOIVFL4fTl9yNOBugpESbTIF/ceg4KW9rOeyqJJQg16GRVLG1Xayu6GXdjSuxVfoInccNJQJZpzaeMZolYeHnQVWcP9D1QmBBuJL/OnKrsvDpZt61qn9lCXcYF+UiTl+tZOOQry9ASKnNZFHIIymUyFb26Gzgydzud5b/HCfy6T4YxKO</e:CipherValue>
        </e:CipherData>
      </e:EncryptedData>
    </o:Security>
  </s:Header>
  <s:Body u:Id="_0">
    <e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
        </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
        <e:CipherValue>xgJK91cn2sLm4FvnVJZoueexPXVExJaA/gCoBdZK2nLlBLvIFnQz/Y6okzRfh0jugF6Vrx5aj+0i3T6V6TfNnBkFuLsKnDeyL2D/cawlBqM=</e:CipherValue>
      </e:CipherData>
    </e:EncryptedData>
  </s:Body>
</s:Envelope>
user1900210
  • 113
  • 1
  • 6
  • 1) You can always switch to using programmatic bindings. I prefer these because they are easier to share (as a dll) than as shared config. – Aron Mar 11 '13 at 06:47

0 Answers0