Archive for April, 2008

SSL secured IIS-hosted WCF Application using OpenSSL

Thursday, April 10th, 2008

enviroment An ASP.NET Application invokes a WCF Application hosted in IIS using a WCF Client over SSL and authenticates itself with a client certificate. PKI must be created too.

problem Just try it without this documentation... took as 2 1/2 days :)

solution

(All commands are in

formatted

and shall be executed on cmd.exe)

Preparations

Download OpenSSL (for Win32)

cd c:\openssl\bin
mkdir demoCA
echo 01 > demoCA\serial

create a new and empty file named demoCA\index.txt

Certificate Authority (CA)

mkdir work
openssl genrsa -out work\CA\CA.key 1024
openssl req -new -key work\CA\CA.key -days 3650 -out work\CA\CA.csr -subj "/CN=choose.some.name"
openssl x509 -req -days 3650 -in work\CA\CA.csr -signkey work\CA\CA.key -out work\CA\CA.crt

Result: CA.key (private key of CA), CA.crt (public key / self-signed certifcate of CA)

Server Certificate for IIS

start IIS-Admin on web server
Properties of WebSites/
Set SSL Port to 443 (e.g.)
-> Directory Security Tab
-> Server Certificate Button
-> Create new certficate
-> Prepare request
IMPORTANT the common name must equal the DNS name used to invoke the WCF service

Result: certreq.txt (Certificate Request)

mkdir work\IIS

Copy certreq.txt to work\IIS

openssl ca -policy policy_anything -cert work\CA\CA.crt -in work\IIS\certreq.txt -keyfile work\CA\CA.key -days 3650 -out work\IIS\iis.cer -outdir work\IIS –batch

Result: IIS.cer (signed server certificate)

start IIS-Admin on web server
Properties of WebSites/
-> Directory Security Tab
-> Server Certificate Button
-> Process pending Request
-> select work\IIS\IIS.cer

Installation of CA on WCF Hosting Server and Client machine (the machine hosting the ASP.NET application)

Start mmc (goto Start\Run: mmc)
Add Snap-In: Certificate\LocalMachine
-> Certficates (LocalMachine) \ Trusted Root Certification Authorities
-> Right click on Certificates \ All Tasks \ Import...
-> Select work\CA\CA.crt

Create client certificates for ASP.NET application

Mkdir work\Client
openssl genrsa -out work\client\Client.key 1024
openssl req -new -key work\client\Client.key -out work\client\Client.csr -subj "/CN=Client"
openssl x509 -req -days 365 -CA work\CA\CA.crt -CAkey work\CA\CA.key -CAcreateserial -in work\client\Client.csr -out work\client\Client.crt
openssl pkcs12 -export -in work\client\Client.crt -inkey work\client\Client.key -out work\client\Client.p12

Start mmc (goto Start\Run: mmc) on ASP.NET hosting machine
Add Snap-In: Certificate\LocalMachine
-> Certficates (LocalMachine) \ Personal
-> Right click on Certificates \ All Tasks \ Import...
-> Select work\client\Client.p12

Configure IIS hosting WCF application to require SSL and Client Certificates

start IIS-Admin on WCF application hosting server
Properties of WebSites/
-> Directory Security Tab
-> Secure Communication / Edit
Select "Require Secure Channel"
Select "Require Client certificates"

Optionally select "Enable certifications trust list" and create a new list holding the CA.crt if you only want to authenticate clients signed by your CA

Configure WCF Client

In your Web.config

<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" >
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="behavior">
    	<clientCredentials supportInteractive="false">
      	<clientCertificate findValue="Client"
                           x509FindType="FindBySubjectName"
                           storeLocation="LocalMachine"
                           storeName="My" />
</clientCredentials>  	
</behavior>
</endpointBehaviors>
</behaviors> 

IMPORTANT: Make sure your application does not run under NETWORK SERVICE account. Without tweaking your permissions of the LocalMachine store, you cannot access private keys - which you need when you want to authenticate to the server using client certificates.

Configure WCF Server

In your Web.config

<binding name="basicSec">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>

<serviceBehaviors>
<behavior name="returnFaults">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>

Some explaination: although the complete SSL handshake and the authentication is done by IIS, the WCF settings still need to match those of IIS. One reason is that the protocol differs (e.g. http vs. https).
You cannot enable httpGetEnabled and httpsGetEnabled at the same time.
You can using BasicHttpBinding - SSL is just the transport layer.

Some debugging tips

Get SSLDiag for validating you IIS SSL setup

To decrypt SSL traffic using Wireshark:

Start mmc (goto Start\Run: mmc) on WCF application hosting machine
Add Snap-In: Certificate\LocalMachine
-> Certficates (LocalMachine) \ Personal
-> Right click on Certificates \ All Tasks \ Export...
-> Select work\IIS\IIS.pfx

openssl pkcs12 -in vde\iis\iis.pfx -out work\iis\iis.pem –nodes

Start Wireshark

Goto Edit\Preferences\Protocols\SSL: RSA Keys: ,443,http,c:\openssl\bin\work\IIS\iis.pem
Goto Capture \ Options \ Filter: "Port 443"

Happy capturing!

WCF Tracing might be helpful too:

  <system.diagnostics>
      <sources>
            <source name="System.ServiceModel" 
                    switchValue="All"
                    propagateActivity="true">
            <listeners>
               <add name="traceListener" 
                   type="System.Diagnostics.XmlWriterTraceListener" 
                   initializeData= "c:\temp\Traces.svclog" />
            </listeners>
         </source>
      </sources>
   </system.diagnostics>

Pioneer DVR 630-H and Homecast 5101 CI HDTV

Wednesday, April 9th, 2008

environment: Pioneer DVR 630-H, Homecast 5101 CI HDTV (receiving Astra 19.2E) and a Sanyo Z3 projector.

problem: Configuration of Pioneer DVR and Homecast

solution:

  • Homecast connected to Sanyo via HDMI
  • Pioneer connected to Sanyo via Component
  • Pioneer and Homecast connected seperately to a small stereo system
  • Homecast (VCR connector) connected to Pioneer (Decoder/Input1) via SCART

Homecast already has the channel list.
The very sick thing about the Pioneer DVR is, that it actually holds 2 (yes t-w-o) channel list.

  1. A channel list for its Antenna-RF tuner
  2. A channel list for the Guide+

You can actually ignore the Antenna-RF tuner list (found in Basic Setup/Tuner) - if you got a satellite dish you probably won't have another antenna.
The important thing is the channel list found in the Guide+ Menu on the very right.
I configured Decoder 1, Selected Homecast from the UNSORTED list somewhere at the end. You need to select "Antenna RF" as the connection, not L1, L2, DV... I still don't know what L1 is.
The Pioneer DVR nicely tries to set the channel on the Homecast - it actually works - just the Homecast crashed the first time...
Then go to the "Editor" tab. You can select the decoder as source and enter the channel numbers.