none
WWSAPI server side handling of SSL Client Certificates RRS feed

  • Question

  • Hi,

    Does anyone have experience with SSL client certs (X.509) in WWSAPI server side? I need client certificates to be accepted (not ignored or required). My clients don't always present them, but I need to handle them when they do.

    I'm having trouble figuring this out in my native C++ server app. This uses:

       WS_SSL_TRANSPORT_SECURITY_BINDING sslBinding = {}; // zero out the struct
       sslBinding.binding.bindingType = WS_SSL_TRANSPORT_SECURITY_BINDING_TYPE; // set the binding type

    My SSL Certificate bindings correctly show that "Negotiate Client Certificates" is Enabled (I can see this when I run "netsh http show sslcert"). When I enabled this, the SSL negotiation issues a Certificate Request to the client and a client cert (from a Smart Card) is prompted for and sent to the server. I can see this on the server side when I call WsGetMessageProperty() with WS_MESSAGE_PROPERTY_ENCODED_CERT. So far so good.

    My problem is that any HTTPS requests coming in that don't have a client certificate as part of the SSL negotiation fail returning HTTP error 403 (Forbidden). This is presumably because I am specifying a WS_SECURITY_BINDING_PROPERTY of WS_SECURITY_BINDING_PROPERTY_REQUIRE_SSL_CLIENT_CERT as TRUE.

    I've tried setting this to FALSE and then the 403 errors go away. But then for requests that do have a client cert, calling WsGetMessageProperty() with WS_MESSAGE_PROPERTY_ENCODED_CERT fails with error 0x00000000803D0003 (The operation is not allowed due to the current state of the object.). Extended error text is "The requested security property ID '15 (0xF)' is not available for the current channel security settings". This is presumably happening because WS_SECURITY_BINDING_PROPERTY_REQUIRE_SSL_CLIENT_CERT is now FALSE.

    I need to have client certs optional. I'm not using IIS, but I notice that IIS has options for Client Certificates in SSL options of "Ignore", "Accept", "Require". I seem to be able to do Ignore and Require but not Accept. As it's http.sys underneath I assume there must be a way I can do the same.

    I was expecting to see an alternative to WS_SECURITY_BINDING_PROPERTY_REQUIRE_SSL_CLIENT_CERT of something like WS_SECURITY_BINDING_PROPERTY_ACCEPT_SSL_CLIENT_CERT but I can't find anything like that.

    Any pointers greatly appreciated.

    Mark

     

    Friday, January 3, 2014 3:00 PM