Part 2 – Securing Server with SSL

It’s not a walk in the park to work with certificates. There are a lot of bells and whistles to it than it meets the eye, but I’ll try to walk you through this nightmare step-by-step in the set of the following posts. But first, I’ll show you how you can jump-start your development and encrypt your traffic with some hand-made and self-issued certificates.

There are a lot of ways to self-issue a test certificate, but I’m going to share with you the EASIEST one I use myself. Follow these simple steps, one by one, to create a test certificate:

1. Create a root certificate:

   makecert -pe -n “CN=Igor Cert Authority” -ss my -sr LocalMachine -a sha1 -sky signature -r “Igor Cert Authority.cer”
   
   If you’ll run the MMC console with Certificates Add-in (Computer Account/Local Computer) and navigate to Certificates/Personal/Certificates node, you will see that the “Igor Cert Authority” certificate already installed:

   

2. Create a certificate for the encryption purposes:

   makecert -pe -n “CN=myhost” -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in “Igor Cert Authority” -is my -ir LocalMachine myhost.cer
   
   Note: the best way to use your machine’s DNS name in all the places I’ve used “myhost”

   If you’ll refresh the MMC console with Certificates Add-In – you’ll see that the new “myhost” certificate will be configured for you as well.

   

The result of the exercise above is the “myhost.cer” file that you can use now to encrypt your communication.

For the sake of this demonstration, let’s use the NULL SMTP server I’ve put together. This server will receive all the incoming SMTP requests and will process them as if it’s a real SMTP server. The server will encrypt the incoming communication with the certificate that was created in the steps above.

1. Create a certificate object from the CERT file:

      1:  X509Certificate serverCertificate = X509Certificate.CreateFromCertFile("myhost.cer");

2. As soon as the new client connection is established – encrypt the stream with this certificate:

      1:  TcpListener listener = new TcpListener(IPAddress.Loopback, port);
      2:  ...
      3:  TcpClient client = listener.AcceptTcpClient();
      4:  ...
      5:  
      6:  // Create the SslStream using the client's network stream.
      7:  SslStream sslStream = new SslStream(client.GetStream(), false);
      8:  
      9:  // Authenticate the server but don't require the client to authenticate.
     10:  sslStream.AuthenticateAsServer(serverCertificate, false, SslProtocols.Tls, false);

In order to test the server, I’ve used the Outlook Express (it is in most cases installed by default on every machine). Don’t forget to tell the Outlook Express that the communication should be secure (note the check box in the Outgoing SMTP mail section):

After the configuration is complete – have fun by sending e-mails. The sever will process all the outgoing traffic over the encrypted channel:

You can download the source of the NULL SMTP Server from my site – here.

Tune-in for the upcoming set of articles that will show you a lot of new and cool staff.

Visual Studio 2008 and .NET 3.5 Released

I don’t want to announce the obvious, but just point you to a great blog to check for the news. Go to Scott Gu’s Blog for the latest news about the Visual Studio and .NET features.

Microsoft is ready to ship Visual Studio 9 (Orcas) by the end of this year.

Great news!!! Microsoft is ready to ship Visual Studio 9 (Orcas) by the end of this year:

· The product team at Microsoft is putting the finishing touches on Visual Studio 2008 and .NET FX 3.5 as we speak now. We are on track to shipping these products before the end of November 2007. We will have the marketing launch for these along with Windows Server 2008 and SQL Server 2008 at the end of February.

For more announcements check Somasegar’s WebLog.

Part 1- Securing Client Stream with SSL

Most of the communications outside of your home network are secured and encrypted. The most popular kind of a secured communication today is the SSL. In most cases it is not even required to do any configuration for the end user.

Let’s assume: we have a server that requires that all the incoming connections be secured with SSL. The following post shows an example of how this can be accomplished.

I’ll show you the implementation by securing the POP3 communication while retrieving e-mails from the Gmail POP3 servers by the POP3 tunneling client. This client was introduced by Bart De Smet in this series of posts:
Pop3 Tunneling

Note that authentication of the client is optional. This allows us to use the SSL only for the channel encryption without any client authentication and authorization. This is why the HTTPS (HTTP over SSL) is widely popular – the end users are not required to issue and configure their own certificates and the server-side issued certificates are used to encrypt the traffic.

// The following method is invoked by the RemoteCertificateValidationDelegate.
private bool ValidateServerCertificate(
   object sender,
   X509Certificate certificate,
   X509Chain chain,
   SslPolicyErrors sslPolicyErrors)
{
   if (sslPolicyErrors == SslPolicyErrors.None)
       return true;  

     Console.WriteLine("Certificate error: {0}", sslPolicyErrors);  

     // Do not allow this client to communicate with unauthenticated servers.
     return false;
}

SslStream sslStream = new SslStream(client.GetStream(), false,
        new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
        sslStream.AuthenticateAsClient(server);
        stream = sslStream;

The modified Pop3Client (Pop3ClientSecured) code can be downloaded here. The package includes a test application as well, so you’re welcome to try it against your Gmail account (if you have it or any other POP3 account).

Anouncement! WCF and WF posts series

Recently I’ve been doing a very interesting research and, as a result of this, I’ve built a very interesting piece of technology. Since, at this moment, I can’t reveal it to the general public, due to my oblications to my employer, I can though talk about it in the general terms. This is leading me to publish a series of posts that will allow us to built step by step a very interesting and powerful application.

Stay tuned …