Part 2 – Securing Server with SSL

It’s not a walk in the park to work with certificates. There are a lot of bells and whistles to it than it meets the eye, but I’ll try to walk you through this nightmare step-by-step in the set of the following posts. But first, I’ll show you how you can jump-start your development and encrypt your traffic with some hand-made and self-issued certificates.

There are a lot of ways to self-issue a test certificate, but I’m going to share with you the EASIEST one I use myself. Follow these simple steps, one by one, to create a test certificate:

1. Create a root certificate:

   makecert -pe -n “CN=Igor Cert Authority” -ss my -sr LocalMachine -a sha1 -sky signature -r “Igor Cert Authority.cer”
   
   If you’ll run the MMC console with Certificates Add-in (Computer Account/Local Computer) and navigate to Certificates/Personal/Certificates node, you will see that the “Igor Cert Authority” certificate already installed:

   

2. Create a certificate for the encryption purposes:

   makecert -pe -n “CN=myhost” -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in “Igor Cert Authority” -is my -ir LocalMachine myhost.cer
   
   Note: the best way to use your machine’s DNS name in all the places I’ve used “myhost”

   If you’ll refresh the MMC console with Certificates Add-In – you’ll see that the new “myhost” certificate will be configured for you as well.

   

The result of the exercise above is the “myhost.cer” file that you can use now to encrypt your communication.

For the sake of this demonstration, let’s use the NULL SMTP server I’ve put together. This server will receive all the incoming SMTP requests and will process them as if it’s a real SMTP server. The server will encrypt the incoming communication with the certificate that was created in the steps above.

1. Create a certificate object from the CERT file:

      1:  X509Certificate serverCertificate = X509Certificate.CreateFromCertFile("myhost.cer");

2. As soon as the new client connection is established – encrypt the stream with this certificate:

      1:  TcpListener listener = new TcpListener(IPAddress.Loopback, port);
      2:  ...
      3:  TcpClient client = listener.AcceptTcpClient();
      4:  ...
      5:  
      6:  // Create the SslStream using the client's network stream.
      7:  SslStream sslStream = new SslStream(client.GetStream(), false);
      8:  
      9:  // Authenticate the server but don't require the client to authenticate.
     10:  sslStream.AuthenticateAsServer(serverCertificate, false, SslProtocols.Tls, false);

In order to test the server, I’ve used the Outlook Express (it is in most cases installed by default on every machine). Don’t forget to tell the Outlook Express that the communication should be secure (note the check box in the Outgoing SMTP mail section):

After the configuration is complete – have fun by sending e-mails. The sever will process all the outgoing traffic over the encrypted channel:

You can download the source of the NULL SMTP Server from my site – here.

Tune-in for the upcoming set of articles that will show you a lot of new and cool staff.