IgorShare Thoughts and Ideas

Consulting and Training

Part 2 – Securing Server with SSL

Posted by Igor Moochnick on 11/21/2007

It’s not a walk in the park to work with certificates. There are a lot of bells and whistles to it than it meets the eye, but I’ll try to walk you through this nightmare step-by-step in the set of the following posts. But first, I’ll show you how you can jump-start your development and encrypt your traffic with some hand-made and self-issued certificates.

There are a lot of ways to self-issue a test certificate, but I’m going to share with you the EASIEST one I use myself. Follow these simple steps, one by one, to create a test certificate:

  1. Create a root certificate:

    makecert -pe -n “CN=Igor Cert Authority” -ss my -sr LocalMachine -a sha1 -sky signature -r “Igor Cert Authority.cer”

    If you’ll run the MMC console with Certificates Add-in (Computer Account/Local Computer) and navigate to Certificates/Personal/Certificates node, you will see that the “Igor Cert Authority” certificate already installed:

  2. Create a certificate for the encryption purposes:

    makecert -pe -n “CN=myhost” -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in “Igor Cert Authority” -is my -ir LocalMachine myhost.cer

    Note: the best way to use your machine’s DNS name in all the places I’ve used “myhost”

    If you’ll refresh the MMC console with Certificates Add-In – you’ll see that the new “myhost” certificate will be configured for you as well.

The result of the exercise above is the “myhost.cer” file that you can use now to encrypt your communication.

For the sake of this demonstration, let’s use the NULL SMTP server I’ve put together. This server will receive all the incoming SMTP requests and will process them as if it’s a real SMTP server. The server will encrypt the incoming communication with the certificate that was created in the steps above.

  1. Create a certificate object from the CERT file:
       1:  X509Certificate serverCertificate = X509Certificate.CreateFromCertFile("myhost.cer");
  2. As soon as the new client connection is established – encrypt the stream with this certificate:
       1:  TcpListener listener = new TcpListener(IPAddress.Loopback, port);
    2: ...
    3: TcpClient client = listener.AcceptTcpClient();
    4: ...
    5:
    6: // Create the SslStream using the client's network stream.
    7: SslStream sslStream = new SslStream(client.GetStream(), false);
    8:
    9: // Authenticate the server but don't require the client to authenticate.
    10: sslStream.AuthenticateAsServer(serverCertificate, false, SslProtocols.Tls, false);

In order to test the server, I’ve used the Outlook Express (it is in most cases installed by default on every machine). Don’t forget to tell the Outlook Express that the communication should be secure (note the check box in the Outgoing SMTP mail section):

After the configuration is complete – have fun by sending e-mails. The sever will process all the outgoing traffic over the encrypted channel:

You can download the source of the NULL SMTP Server from my site here.

Tune-in for the upcoming set of articles that will show you a lot of new and cool staff.

Advertisements

2 Responses to “Part 2 – Securing Server with SSL”

  1. Igor said

    There is pretty nice blog post about the self-issued certificates from John Howard – http://blogs.technet.com/jhoward/archive/2005/02/02/365323.aspx

  2. […] show you how to use the workflows, I’ve translated the SMTP state machine, shown in my previous post . You can see the workflow on the picture […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: