2
votes

I'm doing some testing with WCF and we currently have the following Server setup (simplified config):

<netTcpBinding>
  <binding name="netTcp" ... >
     <security mode="Transport">
        <transport clientCredentialType="None"/>
     </security>
  </binding>
</netTcpBinding>

...

<serviceBehaviors>
    <behavior name="defaultServiceBehavior">
        <serviceCredentials>            
           <serviceCertificate 
                    findValue="OurCert" 
                    storeLocation="LocalMachine" 
                    storeName="My" 
                    x509FindType="FindBySubjectName"/>                      
        </serviceCredentials>
    </behaviour>
</serviceBehaviors>

And the following Client config:

<endpointBehaviors>
    <behavior name="NoRevNoValid">
        <clientCredentials>
            <serviceCertificate>
                <authentication certificateValidationMode="None"
                                revocationMode="NoCheck"/>
            </serviceCertificate>
       </clientCredentials>
    </behavior>
</endpointBehaviors>

So, the idea is that the server certificate is used to encrypt the data, but that the Client does not bother to validate the certificate (the client won't have the CA for the certificate anyway).

However, this configuration does not stop the client from validating the certificate. It still tries to walk the chain of trust and look for revocation lists.

I have found this link stating that the certificateValidationMode attribute does NOT apply to net.tcp bindings.

I have looked at handling the ServicePointManager.ServerCertificateValidationCallback event, but again it appears that this only applies to Http-based bindings.

Presumably these are both because when using the net.tcp binding, the transport security is handled out of scope of the application?

Is there any other way of forcing validation of the certificate to not take place?

2

2 Answers

2
votes

After much testing, it appears that the link stating that the certificateValidationMode attribute does NOT apply to net.tcp bindings is WRONG!

This option still applies to net.tcp bindings.

However, the certificate used for the net.tcp transport security is still loaded and it's CAs and CRLs are still attempted to be resolved. The certificate I was using contained URLs for both CRL and CAs so the cert store was going off to resolve these each time (the URLs were unavailable) even though the WCF config was then saying to ignore whether the certificate was invalid.

So the answer is that the WCF config certificateValidationMode does still apply, its just that the certificate will still be "resolved" by the cert store. This should not be a huge issue for most people, but I am going to do some further tests regarding the URLs that the certificate has because these are causing us major latency issues during connection.

0
votes

In my case using a CertificateValidator = X509CertificateValidator.None helps:

Non-working code:

var handler = new Saml2SecurityTokenHandler();
var configuration = new SecurityTokenHandlerConfiguration
    {
        RevocationMode = X509RevocationMode.NoCheck,
        CertificateValidationMode = X509CertificateValidationMode.None
    };
handler.ValidateToken(saml2Token) gives a exception:

The X.509 certificate CN=cn.name.com chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust.

working code:

var handler = new Saml2SecurityTokenHandler{CertificateValidator = X509CertificateValidator.None};
var configuration = new SecurityTokenHandlerConfiguration();