WCF Service with Message Level Encryption over HTTPS RRS feed

  • Question

  • Hi

    I have seen one or two questions about this but no definite answers.  I have a customer requirement to implement a WCF-based client/server solution using Message Encryption AND HTTPS.  I understand that WCF doesn't support this as standard, and the options are HTTP with Message Encryption, HTTPS without Message Encryption, or HTTPS with Message Credentials.

    None of these will satisfy the customer requirement.  I have control over both the service and the desktop-based clients.   The service is hosted at my location and the clients access it over the internet.

    I have dug around for days (and nights :( ) trying out custom bindings and so on, but whenever I try to combine message encryption with Https, I come up against this error:

    "The binding contains both a SymmetricSecurityBindingElement and a secure transport binding element. Policy export for such a binding is not supported."

    I would prefer to user username/password for authentication but I am prepared to use client certificates if this makes it possible.  So far I haven't found any combination which is acceptable to WCF.

    Is there any way to achieve this or am I just wasting my time?  I would value a quick answer because my customer's deadline is drawing very near!


    Saturday, August 2, 2014 10:19 AM

All replies

  • I'm trying to do something similar right now (SSL, Message encryption, username/password authentication), and I'm also starting to think it's not possible, at least not without some hacking that I don't know about. If I understand this post correctly, when your client machine connects directly to your service machine over SSL you'll have a point-to-point connection meaning it's secured via SSL, and the authentication (username/password values) are secured with WS-Security.

    An interesting analogy used in that post is online banking over SSL. Since the client and Server have a point-to-point connection, you'll have a secure channel.

    Monday, August 4, 2014 11:20 AM
  • Thanks for your reply.  Your understanding is correct if you use <security mode="TransportWithMessageCredential">.  This gives you SSL and enforces username/password authentication.

    However my requirement is to use transport encryption (SSL) and message encryption.  This may be over the top, but is what the client has specified :(

    If I can achieve this then I will have secure point-to-point connection (SSL) but also the SOAP payload will be encrypted before it reaches the transport layer.  This message-level encryption is the preferred method for multi-hop routes - like in your example where there are multiple webservers.  However, WCF decides that transport security (SSL) is unnecessary in this mode and so won't allow it to be configured.

    The standard WCF <security> modes allow SSL (mode="Transport"), Message security (mode="Message"), and a mixture of the two (mode="TransportWithMessageCredential"). What I really need is mode="Message" over Https, but that is where WCF complains and won't let me do it.

    It may be possible as you suggest by some lower-level hacking, but time does not permit at the moment.

    Any further thoughts welcome!


    Monday, August 4, 2014 12:15 PM