Dear ladies and sirs.
I have a server and a client. Setup to work over ssl with minimum security. Here are their WCF configurations:
Server:
<system.serviceModel> <extensions> <bindingElementExtensions> <add name="gzipMessageEncoding" type="Shunra.Common.Wcf.Compression.GZipMessageEncodingElement, Shunra.Common"/> </bindingElementExtensions> </extensions> <services> <service name="Shunra.Common.Csla.WcfPortal" behaviorConfiguration="SSL_ServiceBehavior"> <endpoint contract="Csla.Server.Hosts.IWcfPortal" binding="customBinding" bindingConfiguration="SSL_CompressedBinding" address="WcfPortal.svc" /> <host> <baseAddresses> <add baseAddress="https://il-mark-w2k8/NC" /> </baseAddresses> </host> </service> </services> <bindings> <customBinding> <binding name="SSL_CompressedBinding" receiveTimeout="00:30:00" sendTimeout="00:30:00" openTimeout="00:00:02"> <gzipMessageEncoding innerMessageEncoding="binaryMessageEncoding" binaryMaxQuotaSize="2147483647"/> <httpsTransport maxReceivedMessageSize="2147483647" decompressionEnabled="true" requireClientCertificate="false"/> </binding> </customBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="SSL_ServiceBehavior"> <serviceMetadata httpsGetEnabled="true"/> <serviceDebug includeExceptionDetailInFaults="true"/> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel>
Client:
<system.serviceModel> <extensions> <bindingElementExtensions> <add name="gzipMessageEncoding" type="Shunra.Common.Wcf.Compression.GZipMessageEncodingElement, Shunra.Common"/> </bindingElementExtensions> </extensions> <client> <endpoint name="SSL_WcfDataPortal" address="https://il-mark-w2k8/NC/WcfPortal.svc" binding="customBinding" bindingConfiguration="SSL_CompressedBinding" contract="Csla.Server.Hosts.IWcfPortal" /> </client> <bindings> <customBinding> <binding name="SSL_CompressedBinding" receiveTimeout="00:30:00" sendTimeout="00:30:00" openTimeout="00:00:02"> <gzipMessageEncoding innerMessageEncoding="binaryMessageEncoding" binaryMaxQuotaSize="2147483647"/> <httpsTransport maxReceivedMessageSize="2147483647" decompressionEnabled="true" requireClientCertificate="false"/> </binding> </customBinding> </bindings> </system.serviceModel>
Please, note that because we compress the traffic, we use customBinding.
In addition, in order for the client to work without any certificates I handle the ServicePointManager.ServerCertificateValidationCallback event - return true from there (and log the details).
I am fully aware, that using SSL without mutual authentication makes the system vulnerable to the man in the middle attacks. I am willing to pay this price, because I am currently not in a position to install any certificates at the client side. Given that constraint, is my setup good enough or can I improve it? For instance, I have no idea if the communication is encrypted/signed using my current settings.
I have tried to use AnonymousForCertificate, but failed because it seems to require the presence of the server certificate on the client side, which I cannot do.
Thanks.
Source: http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/0769982d-62b3-4481-912e-d420fd7ef6f6
enterprise architecture information on architecture architecture pictures identity management architecture enterprise architecture conference
No comments:
Post a Comment