0

In my local network I have a WCF Service which exposes few methods. I want encrypt communication between applications and service. I tried doing this with self signed certificate, but browsers security tab shows following error:

Your connection is not private
Attackers might be trying to steal your information from localservice2 (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID

Seems like my browser doesn't trust WCF's self-signed certificate. I could import this certificate into my pc's Windows Keystore, but I would have to do this every time someone would like to connect to my local network and use WCF Service

Is there a possibility to encrypt communication between clients and WCF service in this scenario? If so, how should it be done? Is there any way to encrypt messages in a way that does not use a certificate? It could work so that each client in the app.config file would have to insert the key to be used to encrypt the message and the same key would have to be on the service side to decrypt it.

However, if encrypting communication requires a certificate, is it possible that this would not require importing certificates on the client side?

This is what I did:

  1. I created self-signed certificate and assigned it with new HTTPS binding.
  2. I added this app.config to wcf service
<?xml version="1.0"?>
<configuration>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true"/>
  <system.web>
    <compilation debug="true" targetFramework="4.8"/>
    <httpRuntime targetFramework="4.5.2"/>
  </system.web>
  <system.serviceModel>
    <services>
      <service name="Service.ConfigurationService">
        <endpoint name="test" address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="Service.IConfigurationService"/>
      </service>
    </services>
    <bindings>
      <basicHttpBinding>
        <binding name="secureHttpBinding">
          <security mode="Transport">
            <transport clientCredentialType="None"/>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>
</configuration>
  1. On the client applications that use wcf service I added line:
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) => true;
  1. Now, when I connect with my service, this appears: enter image description here

When I click yes, communication is encrypted. is it possible to make this window not to pop up? The result is that I have to do this on every computer

dafie
  • 951
  • 7
  • 25
  • It is mentioned in [the documentation](https://learn.microsoft.com/en-us/dotnet/framework/wcf/securing-services#specifying-the-client-credential-type-and-credential-value) that not all scenarios require a client credential type. Using SSL over HTTP (HTTPS), the service authenticates itself to the client. – Lan Huang Jun 15 '22 at 05:08
  • You can refer to [this answer](https://stackoverflow.com/a/16943036/17218587). – Lan Huang Jun 15 '22 at 05:17
  • @LanHuang I updated question. Can you take a look? – dafie Jun 15 '22 at 09:16
  • Here is [an answer](https://stackoverflow.com/a/11747697/17218587) to a similar question that you can refer to. – Lan Huang Jun 16 '22 at 06:24
  • You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. Throw an SecurityTokenValidationException if you want to fail validation for some reason. Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file.https://learn.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-create-a-service-that-employs-a-custom-certificate-validator – Lan Huang Jun 16 '22 at 06:28

0 Answers0