5

My site calls a service (let's call it FooService) that requires a very complex set of authentication protocols. The protocols are all wrapped up in a custom ClientCredentials behavior that is declared like this in code:

class FooServiceCredentialsBehavior : ClientCredentials 
{
    public FooServiceCredentialsBehavior()
    {
        //Set up service certificate
        var cert = CertStore.FindBySerialNumber(certSerialNumber);
        base.ServiceCertificate.DefaultCertificate = cert;
    }
}

We then register the behavior extension:

  <behaviorExtensions>
    <add name="FooServiceCredentials" type="MyProject.Namespace.FooService, MyProject" />
  </behaviorExtensions>

Configure an endpointBehavior to use it:

<endpointBehaviors>
    <behavior name="FooServiceCredentialsBehavior">
      <FooServiceCredentials />
    </behavior>

And set up the endpoint to work with it:

<endpoint address="https://fooservice.com/bar"
          behaviorConfiguration="FooServiceCredentialsBehavior"
          contract="FooService_PortType" />

All of the above works perfectly, and has for many clients for many years.

I am now deploying this stuff to a system that cannot reach CRL servers, and the custom behavior includes a service certificate with validation turned on. So I need to turn off the validation. However I cannot modify the FooServiceCredentials class. If I could, I would just do this:

base.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

But I can't.

I would like to know if it is possible to add WCF config that is applied to the custom credentials behavior that will do the same thing. Something like this:

<endpointBehaviors>
    <behavior name="FooServiceCredentialsBehavior">
      <FooService>
          <ServiceCertificate>
              <authentication certificateValidationMode="None"/>
          </ServiceCertificate>
      </FooService>
    </behavior>

This exact XML doesn't work (the service won't even start up) but I'm hoping there is some magic way to arrange these tags to disable the service certificate validation from config only.

Is it possible? How?

John Wu
  • 50,556
  • 8
  • 44
  • 80
  • From my understanding of WCF many many moons ago, everything done in code should have a config equivalent. Did some reading on the tags and came across https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/authentication-of-servicecertificate-element. – Nkosi Oct 16 '18 at 09:36
  • Are those naming discrepancies in your example typos? – Nkosi Oct 16 '18 at 09:37

1 Answers1

1

The official documentation says it is possible to do it. Check the following link: authentication of serviceCertificate Element.

I think with the behaviorExtension configuration you have the following configuration should work since you inherit from ClientCredentials:

<behavior name="FooServiceCredentialsBehavior">
  <FooServiceCredentials>
      <serviceCertificate>
        <authentication certificateValidationMode="None" revocationMode="NoCheck" />
      </serviceCertificate>
  </FooServiceCredentials>
</behavior>

If this does not work there is another possible option without using the behaviorExtension and specifying your class directly in the clientCredentials configuration like this:

<behavior name="FooServiceCredentialsBehavior">
  <clientCredentials type="FooNamespace.FooServiceCredentialsBehavior, FooAssemblyName">
      <serviceCertificate>
        <authentication certificateValidationMode="None" revocationMode="NoCheck" />
      </serviceCertificate>
  </clientCredentials>
</behavior>
Aleš Doganoc
  • 11,568
  • 24
  • 40