locked
Security: TLS with net.tcp binding RRS feed

  • Question

  • Hi,

    I have a service on the internet that accepts calls from clients and sets up a duplex session so the server can query the client as required. I chose the net.tcp binding because it supports duplex sessions without opening a port on the client's firewall as is required with WsDualHttpBinding. The clients authenticate in the application layer.

    I have installed a certificate on the server and set the SecurityMode = Transport, ProtectionLevel = EncryptAndSign and ClientCredentialType = None. I load the certificate with a call to ServiceHost.Credentials.ServiceCertificate.SetCertificate( ... ). This all works fine.

    My question is: is this secure, or do I also need Message Security?

    By secure, I mean:

    * The client can verify it's talking to the correct server

    * No-one else can read the messages passed both on the initial connection and on the duplex callback channel.

    Thanks,

    Nick

    Sunday, March 4, 2012 10:57 AM

Answers

  • Hello, in most cases it should be secured. However note since you're using transport security, ProtectionLevel is ignored. The message itself is not encrypted, but the communication is encrypted. Also since you don't authenticate the client, any clients can access your service. So be careful with what data you return.

    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    If you have feedback about forum business, please contact msdnmg@microsoft.com. But please do not ask technical questions in the email.

    Monday, March 5, 2012 2:01 AM