Need help on choosing a networking API RRS feed

  • General discussion

  • For my Metro style application I would like to create a TCP connection with a web server and pass requests back and forth.  This is easy with WinInet, WinHttp, or OpenSSL/curl but none of those are available for Metro apps.  As a result, does anyone have a recommendation about which networking constructs to use?  I have the following requirements:

    1) https is required.  http or other transports are not needed.

    2) Client certificate authentication must be supported if the server requests it.

    3) I must be able to retrieve the server certificate if it does not validate (e.g. it is self-signed, expired, etc.).

    4) I must be able to ignore certain types of certificate verification failures after prompting the user to continue.

    Windows.Networking.Socket.StreamSockets doesn't seem to have what I want because according to http://social.msdn.microsoft.com/Forums/en-US/winappswithnativecode/thread/9d82dc3f-5605-48da-be4d-12061370180f it doesn't support client certificate authentication so requirement #2 isn't fulfilled.  I also can't find a way to do #3 or #4.

    Windows.Security.Authentication.Web.WebAuthenticationBroker also doesn't seem to have what I want because I can't find a way to retrieve the server certificate if validation fails so requirement #3 isn't fulfilled.

    Can anyone provide some recommendations here?  Thanks!

    Monday, March 5, 2012 7:17 PM

All replies

  • Hi,

    According to your requirements, I recommend you use StreamWebSocket which communicates with your web server over WebSocket Protocol.

    It supports two URI schemes. One is ws: used for unencrypted connections. Another is wss: used for secure connections that should be encrypted. You can choose wss: URI scheme. Please refer to How to secure WebSocket connections with TLS/SSL.

    For certificate, you can set StreamWebSocketControl.ServerCredential which is used to authenticate to the WebSocket server through HTTP header authentication.

    Meanwhile, you can use StreamWebSocketControl class to set more control data.

    Here is an example Connecting with WebSockets sample for your reference.

    Best wishes,

    Robin [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, March 7, 2012 1:43 PM
  • Thanks for the response, Robin.  I don't believe that this will work because we have to support legacy servers that don't implement WebSockets support.  But even if it did, I don't think that the StreamWebSocket APIs fulfill the requirements I listed above.

    First, I don't see how StreamWebSocketControl.ServerCredential allows you to use client-side certificates for authentication.  That documentation only refers to passwords.  In order to support client-side certificates a networking library tends to need to have been designed to allow that, because for example it will need to provide the application a list of certificate authorities that the server accepts.

    And also, I don't see how #3 and #4 are possible using StreamWebSockets.  The documentation doesn't mention being able to retrieve a server certificate or ignore certificate errors.

    • Edited by Adam Gross Wednesday, March 7, 2012 2:23 PM
    Wednesday, March 7, 2012 1:48 PM
  • Hi Adam,

    Have you considered using the .NET classes to accomplish your task? Specifically the HttpWebRequest and HttpWebResponse classes?

    You would need to build that portion of the app in C# or VB, but it's a possible option as you are blocked on your requirement #2 using StreamSockets.

    It would be helpful if you could provide your feedback for requesting this feature for supporting certificates in our WinRT sockets. Here are the instructions for using the feedback tool. Use the category: Windows Kits\Software Development Kit\API missing.

    Thank you for posting your feedback, we want to make sure
    we get the right info including a detailed description and important log
    files.  Can you also submit feedback using the Windows Feedback Tool from
    the Microsoft Connect Site associated with the Windows 8 pre-release
    programs?  Click the follow limited use link
    to join the Connect program and then follow these steps.


    To provide feedback once the Windows Feedback Tool is

    1. Open the Send Feedback icon on the Start screen.
      (Note: Make sure you don’t delete the icon – once it’s deleted, it can’t be
    2. On the left side of the window, select the
      relevant area for your feedback. For example, if your feedback is about
      changing the background color, you would select “Appearance and Customization.”
    3. On the right side, choose the issue that matches
      your feedback as closely as possible, and then click or tap Next.
    4. Enter a title that describes your issue. For
      example, “Windows hangs during shutdown after installing updates.”
    5. In the next field, describe step-by-step what
      you were doing when the issue occurred. This will help us reproduce the
    6. In the bottom field of the screen, provide as
      much additional detail as possible about the issue, and then click or tap Next.
    7. Review the information being reported about your
      system. Add any files necessary to reproduce the issue and add a screenshot if
      the problem is still visible on your screen. Then, click or tap Send Report.

    David Lamb

    Wednesday, March 7, 2012 6:01 PM
  • Thanks for the feedback, David.  It does appear that I am looking for a more developed HTTPS library than just using sockets and I saw that this BUILD presentation mentioned how sockets aren't really well-suited for normal HTTP/HTTPS posts which I would tend to agree with.  However, I am strongly hoping to stay away from using C# and am hoping instead to use either C++ or HTML5/JS if at all possible.  So if there are any alternatives that MS provides to Metro Javascript apps, that could work too.

    It's funny that you mention HttpWebRequest; I was actually just exploring HttpWebRequest and HttpClient earlier today in case that would help me.  This MSDN article made me hopeful that I could use HttpWebRequest within Javascript but I'm not able to get it to work.  I'm not sure how their sample code in that article is getting access to HttpWebRequest while I'm not.  Regardless, I will provide some official feedback to Microsoft with requests for alternatives.

    Wednesday, March 7, 2012 6:17 PM
  • Ah, in that case let me get a JavaScript aware person to chime in on this to see if you could meet your requirements in that type of project.

    David Lamb

    Wednesday, March 7, 2012 6:50 PM
  • Hi Adam,

    You really would be best off using the HttpClient on the .NET side.  You could also use XHR on the javascript side but it sounds like you anticipate you want to do some other things other than simply send an HTTPS post and get the response?

    There are samples going both directions.  Search HttpClient in samples and you will find a great one there.


    Jeff Sanders (MSFT)

    Wednesday, March 7, 2012 6:58 PM
  • Thanks for the reply, Jeff.  Yeah, it does sound like XHR is a bit lightweight for what I am looking to do given that it doesn't seem to be able to (a) handle client-side certificate authentication or (b) allow me to ignore certain certificate errors.  I agree that my best bet is to write a C# WinRT component dll that wraps calls to HttpClient or HttpWebRequest and then use it from a Javascript or C++ Metro style app.  I will look into doing that.
    Wednesday, March 7, 2012 7:19 PM
  • I would also need the modern networking support (client certificates with https) in WinRT that I already have in WinHTTP for C++.  The lack of this support for Window Phone put it on the backburner versus the competition.

    Wednesday, March 7, 2012 9:18 PM
  • Hi Andrew,

    Yup, your best bet is to create a Winmd component and leverate the HttpClient.  That will give you everything you need.


    Jeff Sanders (MSFT)

    Wednesday, March 7, 2012 9:20 PM
  • Also take a look at the previous thread Sending an HTTP request via C++ / WinRT for some links to existing C++ HTTP libraries that you might want to look into.


    Friday, March 9, 2012 4:14 AM
  • For anyone who finds this thread in the future, here is a link to an example on MSDN of a Javascript component using a C# library.  I found it extremely helpful.
    Tuesday, March 13, 2012 5:58 PM
  • I looked through all of the samples but it seems that a lot of the classes that I need are no longer available in Metro classes using C#.  Specifically this forum thread has sample code that is indicative of most that I have found.  However I can't use those ideas for the following reasons:

    1) System.Net.ServicePointManager isn't available so I can't use ServerCertificateValidationCallback.

    2) System.Security.Cryptography isn't available so I can't use the classes needed to verify certificates.

    3) System.Net.Security.SslStream isn't available so I can't use that either.

    Am I missing a project property that gives me access to those classes?  If not, is there a new way in Metro for me to fulfill requirements #3 and #4 that I mentioned in my original posting?

    Wednesday, March 14, 2012 8:14 PM
  • Hi Adam,

    You need to esure your server certificates are valid for that system.  Metro will not allow you to override server certificate validation.

    So to be clear, you cannot do #3 and #4 of your requirements without writing some significant code on your own to basically take over the protocol and client stack with your own implementation.

    Why do you need to do this?  What is your deployment scenario?  For instance, you would not put this app up on the store because it bypasses the certificate check.


    Jeff Sanders (MSFT)

    Thursday, March 15, 2012 5:42 PM
  • Ouch; that's very unfortunate.  Will any Metro libraries allow me to do client certificate authentication?  I can't find support in any of the libraries.
    Thursday, March 15, 2012 5:44 PM
  • Hi Adam,

    No sorry.  What are the scenarios where you think this would be necessary in a production quality app?  Can you workaround this by ensureing your servers are trusted?


    Jeff Sanders (MSFT)

    Thursday, March 15, 2012 5:47 PM
  • Our product ships with self-signed certificates by default on the server.  We strongly recommend that customers replace these self-signed certificates with verifiable certificates but customers often want our products to work when the certificates aren't verified while doing proof-of-concepts.  That is why our client applications have multiple certificate verification modes that the administrator can enforce: 1) only allow fully verified connections (definitely doable in Metro with some caveats*), 2) warn users when connecting to servers with self-signed certificates but allow them to continue, and 3) don't do any certificate verification.  Different customers have different preferences.  #2 and #3 don't seem possible.

    As far as doing client certificate authentication, this is a standard feature that is a requirement for government customers, with their CAC mandate and all.  Browsers get to cheat and have their Metro hybrid app use old networking libraries that offer the ability to do smart card authentication but other apps will need to be able to do this too.

    * One downside of Metro is that we don't get access to the server certificate to show to the user.  When displaying a certificate error it is immensely helpful to be able to show them actual server certificate information so they know why it is not trusted.

    Thursday, March 15, 2012 6:12 PM
  • Hmm, I see.

    Yes 2 and 3 won't be possible.  Now as you probably realize they could install the server cert as a trusted root to get around this manually.

    I think also it would be useful to see the reason the cert is not verified.  Definately something you could do by jumping into the Desktop IE but that may not be on all platforms and is not as elegant.  I have not looked what information is available in the exception but I will try and find time to test that today.

    You can supply a client cert with HttpClient and other libraries.  You spotted that already correct?


    Jeff Sanders (MSFT)

    Thursday, March 15, 2012 6:24 PM
  • Are you talking about HttpWebRequest.ClientCertificates?  If so, that doesn't seem to be available on Metro.  Is there some other API that is available on Metro?
    • Edited by Adam Gross Thursday, March 15, 2012 6:47 PM
    Thursday, March 15, 2012 6:47 PM
  • Certs in Metro style apps are different than what you are used to.  You can install and use certs based on manifest information (to include installing a trusted root).  http://msdn.microsoft.com/en-us/library/windows/apps/hh465044.aspx  and http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh464941.aspx  I do not know if there is a walktrough of this however.  Let me hunt around for this and see if there is not, what I can get published quickly.  The banking sample comes to mind off the top of my head...


    Jeff Sanders (MSFT)

    Thursday, March 15, 2012 7:44 PM
  • This is the exception you will get when the cert is not trusted:

    [System.Security.Authentication.AuthenticationException] {"The remote certificate is invalid according to the validation procedure."} System.Security.Authentication.AuthenticationException

    So you could trap this exception and report it out to your customer.  Did you take a look at those other links and will they help you with your other cert issues?

    Jeff Sanders (MSFT)

    Friday, March 16, 2012 6:25 PM
  • Hi Jeff, I appreciate the help but I don't think that this resolves my issues.  Here is my reasoning:

    • I understand that I can extract the reason for the certificate validation failure but I want to actually show the user the certificate fields (e.g. issuer, hostname, thumbprint, etc) so they can know more.
    • It is nice to know that I can retrieve certificates from the MY store and encrypt or sign data using them, but if the SSL library doesn't allow me to plug the certificates in I still can't do certificate authentication to a server.  This is because client certificate authentication is part of the SSL handshake and the SSL library is the one that handles the handshake.

    • Edited by Adam Gross Monday, March 19, 2012 3:25 PM
    Monday, March 19, 2012 3:25 PM
  • Hi Adam,

    Look for some more information this month on certificates.  I will update this thread with that information when it is available.


    Jeff Sanders (MSFT)

    Tuesday, March 20, 2012 5:14 PM
  • Hey Jeff, now that the Release Preview of Win8 and VS2012 are out, are there any updates on this?
    Tuesday, June 5, 2012 1:39 PM
  • Bump.  Any updates now that the release preview is out?
    Monday, July 16, 2012 8:44 PM
  • Hi Adam,

    You can include server certificates in your package to get around your validation issue.

    You cannot display failure information or have your own certificate validation routines.

    The app can use installed client certificates.

    I answered a couple of certificate questions in the C# forum that you all may find useful:

    Provide Client side certificate:


    Include Server certificate in manifest so application can trust an non-trusted or self-issued server certificate:



    Jeff Sanders (MSFT)

    Wednesday, July 18, 2012 5:54 PM
  • Thanks for the response.  Remember that my original complaint about using installed client certificates wasn't about getting access to the certificates but instead was that there was no way to plug them into a Microsoft-provided networking library so they can be used as part of the SSL handshake, which is how client -> server certificate authentication is usually done (see here for more information).  Specifically, HttpWebRequest.ClientCertificates wasn't available in Metro at the time of the consumer preview.  From your link it sounds like all we can do is have HttpClient automatically choose the certificate and we can't manually do it, so I posted a follow-up question there.  That's pretty unfortunate, because it's a fairly significant reduction in capability for a networking library.  This is like WinInet from years and years ago!

    • Edited by Adam Gross Thursday, July 19, 2012 11:25 AM
    Thursday, July 19, 2012 11:20 AM
  • That is commonly called Mutual authentication and has never been part of the stack.  The stack has only ever allowed you to send a client cert when requested by the server.


    Jeff Sanders (MSFT)

    Thursday, July 19, 2012 11:37 AM
  • Yeah I would never want to use certificate authentication unless it is requested by the server.  But still, I want the ability to be able to be notified when the server requests a client certificate and to be able to prune down the list of certificates in the Personal store, show them to the user (if there are more than 1), and then use the certificate that they select.  I haven't been able to find a way to do that, even in the Banking example solution.
    Thursday, July 19, 2012 12:01 PM
  • Today the only way to show client certificates is by using XHR (we cannot comment about future plans if any).  It will prompt you if there are more than one cert available.   Using HttpClient and shared client certs you get the first client cert in your store.  Using a smart card you can use the hardware only flag in the cert manifest (probably the most popular options for large corps and govt).


    Jeff Sanders (MSFT)

    Thursday, July 19, 2012 12:07 PM
  • Thanks Jeff.  I confirmed that using IXMLHttpRequest2 prompts the user for the smart card automatically as long as the "Shared User-Certificates" capability is checked, which is exactly what I was looking for.
    Thursday, July 19, 2012 6:49 PM
  • New in Windows 8.1: the Windows.Web.Http HttpClient API.  This is an easy-to-use, full-featured HTTP API that works in all languages: C++, .NET (C#, VB) and JavaScript.    Advantages of the new API include: strongly typed headers (meaning: you write fewer bugs in less time), full support for standard WinRT async concepts and data types.

    HttpClient also lets you inject your modular filter code into the HTTP processing pipeline, letting you handle logging, testing, retry and auth more naturally.  Samples of filters include retry and metered network filters in the HttpClient sample, and OAUTH and OAUTH 2.0 support in the Web Authentication Broker sample.

    (Note that the existing IXHR2 code is still available for developers, and your existing Windows 8 code should continue to work as expected)

    There's a //build/ 2013 video for the new API at http://channel9.msdn.com/Events/Build/2013/4-092

    We also have samples at http://code.msdn.microsoft.com/windowsapps/HttpClient-sample-55700664

    There's an OAUTH 0 filter sample at http://code.msdn.microsoft.com/windowsapps/Web-Authentication-d0485122

    And there's documentation at http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.aspx

    Network Developer Experience Team (Microsoft)

    Tuesday, July 16, 2013 9:32 PM