1

I have a WCF client running .Net 4.8, and I want to connect to our WCF service through an AWS Network Load Balancer that uses TLS listener. The problem is I cannot connect through it. I can connect properly when I am using a TCP listener in the NLB.

I contacted AWS support regarding this issue, and after some investigation, they confirmed that there is nothing wrong with my NLB configurations, and they advised me that my WCF client must initiate the TLS communication with the NLB's TLS listener to properly communicate through TLS.

But based on my research, the WCF service is the one dictating the security requirements for client. It is mentioned on the first line on this Microsoft resource. Is there a way to force my WCF client to initiate the TLS communication?

I already have in my client code:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

and on my client config file, I have this on the binding config.

    <security mode="Transport">
      <transport clientCredentialType="None" 
      protectionLevel="EncryptAndSign"
      sslProtocols="Tls12" >
      </transport>
    </security>

Also, when I inspected the packets during the successful communication on the TCP listener, after the TCP handshake, the client and service exchanges some info before initiating the TLS communication. Not sure if that matters but I just wanna state it.

I need the WCF client to behave like a browser configured to use TLS, where it is the one who initiates the TLS communication with the back end entity that it is communicating with. (e.g. web server, load balancer, etc.)

Is there a way to force my WCF client to initiate the TLS communication?

niel
  • 63
  • 9
  • For WCF TCP transport using transport security with certificate credentials: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls – Ding Peng Mar 22 '21 at 08:00
  • Hi @DingPeng, I have read the documentation but there is no mention there to force a WCF client to initiate a TLS communication. I have followed some of those best practices (I used to run .Net 4.5 but switched to .Net 4.8) but it did not fixed my problem. Also, I updated my question in order to help explain my problem/situation. – niel Mar 22 '21 at 10:44
  • @niel there's no need to force anything. If you specify transport security, TLS will be used (assuming the server supports it). The client and server will negotiate and use the best available protocol version. There's no need to hard-code the TLS version either, especially with .NET 4.8. It will use the best available TLS version on the operating system – Panagiotis Kanavos Mar 22 '21 at 10:54
  • @niel it sounds like you have a different problem. Does the server reject the connection? Do you get an exception? What is it the *full* exception text? Are you running on an obsolete OS version that doesn't support TLS1.2 without patching? What you did actually *prevents* the client from using TLS1.3 even if it's available – Panagiotis Kanavos Mar 22 '21 at 10:56
  • @niel `Is there a way to force my WCF client to initiate the TLS communication?` it always does. It's always the *client* that initiates the HTTPS connection, negotiates with the server for the algorithms to use, then both establish a secure channel using the parameters they negotiated – Panagiotis Kanavos Mar 22 '21 at 10:59
  • Hi @PanagiotisKanavos, my WCF service supports TLS and I run the client on my machine which has an updated Win 10 installed. The issue is that in order to connect to my WCF service, I must pass through an AWS NLB that has a TLS listener. That's where I get stuck. AWS support says that after TCP handshake, WCF client must send Client Hello packet for TLS 1.2 communication, but when I inspect the packets being sent, WCF client sends application data right after the TCP handshake. – niel Mar 22 '21 at 11:18
  • Here is a link regarding a short summary of the AWS Network Load Balancer TLS termination that I have been mentioning: https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/ – niel Mar 22 '21 at 11:19
  • Whether the client-side uses TLS is related to the server-side, because the binding of the client-side must be the same as that of the server-side. – Ding Peng Mar 25 '21 at 05:46

0 Answers0