Securing WCF Compression via HTTPS
April 8, 2009
Posted by on
I had blogged some time earlier about making GZipCompression work for large messages over WCF. Though GZipCompression reduces the overall size of message, message per se is vulnerable from security perspective. To encrypt this message transfer via HTTPS you need to follow below steps:
1) Change BindingElement from httpTransport to httpsTransport
<gzipMessageEncoding innerMessageEncoding=”textMessageEncoding” />
<httpsTransport … />
2) Now you need to enable support in IIS 7 by adding a Binding for https as shown below:
(Note the above would require a certificate. Easiest way in which you can create it in IIS 7 is by clicking on root computer name and then going to Server Certificates in features view, edit it, to create a self signed certificate for development environment. If you are on IIS 6 you can refer to Step 5 below).
3) Repeat Step 1 for client’s app.config
4) Ensure that all service URLs are https in app.config
5) To create a dummy certificate (for development environment) open VS.NET command prompt & key in :
a) makecert -pe -sr CurrentUser -ss My -n CN=YourCertificateNameHere -sky exchange (Certificate will be created in Current User’s personal store. For more options on certificate generation click here.)
b) certmgr : This will open the Current User’s certificate store. Go to Personal & select the certificate you created in previous command & right click it -> All Tasks -> Export -> Select Private Key (.pfx) -> Enter your password -> select the physical path for export -> Finish.
You are ready to move around with certificate you just created (N.B. not selecting to export the private key will give you a public certificate with .cer extension)
6) Your certificate name has to match the machine name or you can change system32/drivers/etc/hosts to make 127.0.0.1 bind to certificate name. This is required because a self signed certificate is not trusted by default.