20
votes

I'm creating a WCF application where I'll be using certificates to encrypt the communication between the client and server. In my development environment, I want to use a test certificate / self signed certificate which I've created using makecert. (Only the server will have a certificate, the client won't).

I've installed the certificate into a certificate store, and everything is working fine. On the client, certificateValidationMode is currently set to "false", since I'm working with a test certificate.

My problem:

In the app.config on the client, I need to specify the identity element as this:

<endpoint ... >
   <identity>
      <dns value="<Name-Of-Server-Computer>"/>
   </identity>
</endpoint>

If I remove the identity element, I get the following error message in the client when I try to connect to the server:

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'Name-Of-Server-Computer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'Name-Of-Server-Computer' as the Identity property of EndpointAddress when creating channel proxy.

So here's my questions:

  • Is the identity check only done when using a test/self-signed certificate? When I deploy my application using a real, trusted, certificate purchased from a CA, will the identity check still be made?

  • Is there a way to disable the identity check? I know I can create my own custom certificate validator, but there doesn't seem to be a way to override the identity check using these.

3

3 Answers

32
votes

The answer to this question is in the error message itself. On the client you can do:

EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("Server");
EndpointAddress address = new EndpointAddress(new Uri("net.tcp://1.2.3.4:12345/ServiceName"), identity);

Replace "Server", by whatever is expected. Typically this would be the common name (CN) of your self-signed certificate. Doing so will not ruin security, provided you take all responsibility for making sure, that the presented certificate is valid, that is create your custom certificate validator and make relevant checks there.

11
votes

The check is done always - and should be. Basically, WCF will check that the certificate is issued to the domain name (yourcompany.com) or machine name where your service resides. This is a security check which I'd never disable! Otherwise, anyone spoofing your service could use any certificate made out to an arbitrary domain / machine name and get your traffic - not what you want!

So what you need to make sure is that your real certificate on the production server is indeed issued to that domain name that the production server will be part of, e.g. if your production server is going to be in "production.yourcompany.com", the certificate needs to be made out to that domain.

Marc

4
votes

certificateValidationMode should be set to "None", not "false"...