Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does WCF complain over identity check failure?

Tags:

I'm creating a WCF application where I'll be using certificates to encrypt the communication between the client and server. In my development environment, I want to use a test certificate / self signed certificate which I've created using makecert. (Only the server will have a certificate, the client won't).

I've installed the certificate into a certificate store, and everything is working fine. On the client, certificateValidationMode is currently set to "false", since I'm working with a test certificate.

My problem:

In the app.config on the client, I need to specify the identity element as this:

<endpoint ... >
   <identity>
      <dns value="<Name-Of-Server-Computer>"/>
   </identity>
</endpoint>

If I remove the identity element, I get the following error message in the client when I try to connect to the server:

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'Name-Of-Server-Computer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'Name-Of-Server-Computer' as the Identity property of EndpointAddress when creating channel proxy.

So here's my questions:

  • Is the identity check only done when using a test/self-signed certificate? When I deploy my application using a real, trusted, certificate purchased from a CA, will the identity check still be made?

  • Is there a way to disable the identity check? I know I can create my own custom certificate validator, but there doesn't seem to be a way to override the identity check using these.

like image 375
Nitramk Avatar asked Oct 27 '09 09:10

Nitramk


1 Answers

The answer to this question is in the error message itself. On the client you can do:

EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("Server");
EndpointAddress address = new EndpointAddress(new Uri("net.tcp://1.2.3.4:12345/ServiceName"), identity);

Replace "Server", by whatever is expected. Typically this would be the common name (CN) of your self-signed certificate. Doing so will not ruin security, provided you take all responsibility for making sure, that the presented certificate is valid, that is create your custom certificate validator and make relevant checks there.

like image 192
Eiver Avatar answered Sep 17 '22 12:09

Eiver