Using SSL in your application

11 ביולי 2009

תגיות: , ,
אין תגובות

One of the ways to add another security level to our application is to use SSL. SSL gives the ability to encrypt messages between two endpoints. If you will search the web you’ll probably notice that this ability is given to you [almost] out of the box.

If you are already using IIS as your web server and you want to add this security level, all you need to do is to check some check boxes in your web site configuration. In order to accomplish the configuration part you will be asked to provide a certificate.

The certificate (combination of identity and public key) is helping the client to authenticate the server. One of the common examples is your browser, when a user enters a secured web site the browser check its certificate using CA services, and verifies that the server is really who it claims to be.

There are many companies (VeriSign is one of the popular ones) which define the CA (certificate authority) and provide a certification services (it’s my recommendation for public internet applications). If you don’t want to pay money to a third party, you can create a free public certificate using OpenSSL tools, create self-singed certificate using makecert utility (you must remember to protect your private key), or even to build your own CA server (all this three are recommended for intranet applications).

Assume you choose one of the cheap ways, you still need to configure your software to validate the certificate. There are two ways to do it, the first one is using code, and the second by setting the server certificate in the client machine. In order to use a code you need to register to ServicePointManager.ServerCertificateValidationCallback event, this delegate passes the certificate details as a parameter and return whenever the certificate is valid or not. For example:

public void GetData(string url)
{
using (WebClient webClient = new WebClient())
using (StreamReader webClientStreamReader =
new StreamReader(webClient.OpenRead(url), Encoding.UTF8))
{
ServicePointManager.ServerCertificateValidationCallback +=
new RemoteCertificateValidationCallback(customXertificateValidation);
if (webClientStreamReader != null)
{
string returnedStringFromMoma = webClientStreamReader.ReadToEnd();
}
}
}
private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return (cert.Subject == "CN=MyCustomCert, OU=Dev, …");
}

In case you decided to set the server certificate in the client machine, you need to export the certificate from the server, and then to import the certificate into the client machine. You can do the import/export actions from the Windows Certificates manager.

I had another important issue I forget to mention, I know a lot of people which thought the using the request credential is secured, don’t let it to confuse you, the credential is just encoded it’s not encrypted.

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. (*) שדות חובה מסומנים