wcf icon indicating copy to clipboard operation
wcf copied to clipboard
verified publisher icon dotnet

NetHttpBinding with WebSockets doesn't allow custom Certificate handling

Open mconnew opened this issue 10 years ago • 5 comments

This involves:

  1. Calling any custom X509CertificateValidator.Validate class that a user has set on their credentials for verifying the server cert.
  2. Using the ClientCertificate that a user has provided on the credentials to authenticate against the server.
  3. Most likely adding functionality to the System.Net.WebSockets.Client.ClientWebSocket class to enable certificate handling.

mconnew avatar Oct 20 '15 23:10 mconnew

The System.Net.WebSockets.Client and System.Net.WebSockets contracts do not facilitate any certificate handling. This will be addressed post RTM by the team which owns those contracts, until then we are blocked.

mconnew avatar Dec 03 '15 03:12 mconnew

Thanks @mconnew. Can we add related System.Net.WebSockets.* issues here?

zhenlan avatar Dec 03 '15 06:12 zhenlan

There is no customer vote on this. Moving it to future. To implement, we will build on top of SocketHttpHandler.

Lxiamail avatar Apr 10 '19 21:04 Lxiamail

I hope it is ok to ask a question here: Is it correct that it is currently not possible to use a self-signed certificated for a WebSockets connection based on a WCF client in a .Net Core 3.1 Application?

I need to migrate an existing .Net 4.6 WPF Application to .Net Core 3.1 (and later to .Net 5) and this problem might prevent me from doing so. Is there any chance this will be fixed in the not too distant future?

stefanegli avatar Sep 10 '20 13:09 stefanegli

I found the same problem with customBinding. using .NET7 "return true" This code will be executed. I checked it through the debugger. System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => { return true; }); But an error occurs internally. AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

I tried these settings as well, but they had no effect on WebSockets. This only works for regular HTTPS.

svc.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new System.ServiceModel.Security.X509ServiceCertificateAuthentication()
{
CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck,
};

I think this is missing a line or two in the code for setting it up. https://github.com/dotnet/wcf/blob/bc542a4a9a85ddb9686ed7010bd9e58d99455ad5/src/System.ServiceModel.Http/src/System/ServiceModel/Channels/CoreClrClientWebSocketFactory.cs#L19 or Is this difficult to troubleshoot? Is there an alternative to circumvent this problem?

edit and update I tried adding a little bit of code, but it didn't work out well. I added a RemoteCertificateValidationCallback and also fixed the missing Accept-Encoding header. https://github.com/neominky/wcf/commit/835fe84f4e19c3e3635aab1c00ab54b405ee5d1d?diff=unified But it wasn't enough. Because it crashed into a bigger wall. Issues like this occur. https://github.com/Azure/azure-relay-dotnet/issues/135 I had to conclude that .NET7/8 does not support WCF/WebSocket. In the future too. long long far far

neominky avatar Sep 16 '23 16:09 neominky