Adarsh's blog : SSL

Using FtpWebRequest to do FTP over SSL

adarshk — Fri, 22 Apr 2005 23:27:00 GMT

Last few weeks we were busy to get Whidbey Beta-2 bits ready for release.

If you are looking for some API where your application could talk to a FTP server, which supports SSL. FtpWebRequest under System.Net namespace is your solution. Here I will just point to SSL specific features of the class

Enabling FtpWebrequest to use Ssl is pretty simple, you just need to set EnableSsl flag before calling GetResponse() or GetRequestStream() on the FtpWebRequest object.

FtpWebRequest request = WebRequest.Create(ftp://myftpserver/dir/filename);
request.Method = WebRequestMethods.Ftp.DownloadFile;
request.EnableSsl = true; // Here you enabled request to use ssl instead of clear text
WebResponse response = request.GetResponse();

Some people asked me why FtpWebRequest support "ftps:" protocol based uri similar to "https:", the reason is there is no standard "ftps" scheme specified (yet) and ftp-over-ssl mechanism actually does not demand dedicated port for ssl, you could do it on the same server port on which you are doing regular clear text ftp. It depends on server configuration choice to force the SSL or allow both.

Once you start doing Ftp over SSL there are two important things you will need to know

Validating Server Certificate

If you were old WebRequest user, you might already know about using ServicePointManager.CertificatePolicy for https server certificate validation. In whidbey you will notice the compiler warning saying ServicePointManager.CertificatePolicy is obsolete and replaced with ServicePointManager.ServerCertificateValidationCallback which is delegate of type RemoteCertificateValidationDelegate. New delegate provide better programming model with all certificate errors reported in a single callback and you will also get instance of X509Chain object, which allow you to make decision on certificate chain.

ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(myCertificateValidation);

Actual method will look as below
  public bool myCertificateValidation(Object sender,
      X509Certificate cert,
      X509Chain chain,
      SslPolicyErrors Errors)
{ return (certificate.GetName() == "my_trusted_name"); }; //Just an example, not real world scenaio

:) Another additional advantage you can take with delegate is from anonymous method support of C# 2.0, especially if you have very simple 1-2 line certificateplicy to implement, see follwing example.

ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{ return (certificate.GetName() == "my_trusted_name"); }; //Just an example, not real world scenaio

Using Client Certificate

Using Client certificate based authentication when connecting to FTP-SSL is no different then existing HttpWebRequest. You just need to assign appropriate X509Certificate instance to the request object before making GetResponse() or GetRequestStream() call.

This posting is provided "AS IS" with no warranties, and confers no rights

Client side certificate with strong key protection and WebServices

adarshk — Thu, 17 Feb 2005 21:46:00 GMT

When you are writing application to run as service or middle tier, which is using client certificates. You should not enable strong key protection during certificate installation.

Strong key protection is the way you are informing the system that whenever someone want to use this protected resource (client certifcate) then prompt me for the permission. In middle tier environment you really do not want this prompt, you really want to run your application unattended. In fact with .Net frameworks 1.1, SP1 you won't be able to use the certificate with strong key protection.

Check the posting from Kevin W. Hammond about his experience on this issue

http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx

This posting is provided "AS IS" with no warranties, and confers no rights

Configure System.Net.HttpListener to listen for SSL

adarshk — Thu, 11 Nov 2004 03:02:00 GMT

Whidbey contains cool class HttpListener under System.Net namespace, it allows you to create your your own HttpServer on top of HttpSys. Some of you aske about steps for configuring HttpListener to work with SSL. Basically you need to configure httpsys. You need to bound particular port to a server certificate, where you want your listener to listen

1) install the server certificate in machine store – you can manually install certificate using mmc (Alternatively you can also use winhttpcertcfg command line tool, which is available with win32 SDK install)

2) next step is to bind the port to use this certificate, this could be done using httpcfg tool (Also a part of win32 sdk), following example demonstrate configuration for port 9443
   a. Command line with no client certificate authentication
         > httpcfg.exe set ssl -i 0.0.0.0:9443 -c "MY" -h <Certificate Hash>
    b. Command line with client certificate authentication
         > httpcfg.exe set ssl -i 0.0.0.0:9443 -f 2 -c "MY" -h <Certificate Hash>

To know more about System.Net.HttpListener, check the System.Net Whidbey documentation

http://msdn2.microsoft.com/library/btdf6a7e.aspx

To know more about winhttpcertcfg.exe and httpcfg.exe, you could follow the following links,

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/http/http/httpcfg_exe.asp

This posting is provided "AS IS" with no warranties, and confers no rights

Using SSL client certificate in WebRequest and WebServices without certificate installation

adarshk — Wed, 01 Sep 2004 20:21:00 GMT

If you are using .Net frameworks 1.0 or 1.1, certificate must be installed on either User store or Machine Store. This posting is only valid for v2.0.

In version 2.0 (Currently released Whidbey Beta1) user have option to use the certificate which contain the private key without installing it on certificate store.

In general it is not recommended practice to store certificate as file and not install in certificate store. In some special cases user might not have access for certificate installation (e.g. Webbhosting site only allow ftp access to users). In such case you can store full certificate file (include private key) on a share and use it for client certiificate based SSL authentication.

System.Security.Cryptography.X509Certificates namespace provide classes to create X509CertificateEx instance with private key persistence like below

X509CertificateEx Cert = new X509CertificateEx();

Cert.Import(_certificateFilieName,_certificatePassword,X509KeyStorageFlags.PersistKeySet);

If you add X509CertificateEx instance as mentioned above to client certificate collection of HttpWebRequest or WebService instance, certificate base authentication would work without installing certificateon cetificate store of the machine.

This posting is provided "AS IS" with no warranties, and confers no rights

SSL https requests with client certificates from ASP.NET

adarshk — Mon, 19 Jul 2004 23:10:00 GMT

Problem

Applications making https request from .net web applications (.aspx pages) are not able to use client certificates.

Cause

Client certificates are linked to user accounts, ASPX is running under ASPNET account, this account can’t access the certificates installed under user account or system account.

HttpWebRequest implementation only access the certificate only from account under which process is running or under System account. Most of the time when we install the certificate it is installed in current user account.

Possible Solutions

a) Run the service under the account which certificate is installed, but in real world this is not a feasible solution on production servers,

b) Install the certificate under System account and provide access to ASPNET service account, this could be achieved using following steps

a. Install certificate using MMC (Microsoft Management Console) or using certificate configuration tool as described in Microsoft KB article (http://support.microsoft.com/?id=823193 )

b. Tool is available at the following link

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

Make sure following, when installing the certificate

1) Certificate contains the private key, otherwise it can’t be used for client authentication, .cer certificate files only contain the public key, you need to have certificate with .pfx or .p12 file,

2) Make sure you are installing certificate in “My” store of the system account, following command is an example of installing certificate in “My” store of “System” account with extending access to aspnet account, follow the above link for more detailed description and usage of certificate configuration tool

WinHttpCertCfg -i mycert.pfx -p certpassword -c LOCAL_MACHINE\my –a aspnet

Note: Solution discussed here would work on .Net frameworks v1.0 with SP3 or v1.1 with SP1 install, on previous versions of frameworks clientcertificate were used only from current User store not from System acount.

This posting is provided "AS IS" with no warranties, and confers no rights