affordableCebu
Home » Questions » Computers [ Ask a new question ]

How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

"Most recent edits in bold
I am using the .net HttpListener class, but I won't be running this application on IIS and am not using ASP.net. This web site describes what code to actually use to implement SSL with asp.net and this site describes how to set up the certificates (although I'm not sure if it works only for IIS or not).

The class documentation describes various types of authentication (basic, digest, Windows, etc.) --- none of them refer to SSL. It does say that if HTTPS is used, you will need to set a server certificate. Is this going to be a one line property setting and HttpListener figures out the rest?

In short, I need to know how to set up the certificates and how to modify the code to implement SSL.

Although it doesn't occur when I'm trying to access HTTPS, I did notice an error in my System Event log - the source is ""Schannel"" and the content of the message is:

A fatal error occurred when attempting
to access the SSL server credential
private key. The error code returned
from the cryptographic module is
0x80090016.

Edit:
Steps taken so far

Created a working HTTPListener in C# that works for HTTP connections (e.g. ""http://localhost:8089/foldername/""
Created a certificate using makecert.exe
Added the certificate to be trusted using certmgr.exe
Used Httpcfg.exe to listen for SSL connections on a test port (e.g. 8090)
Added port 8080 to the HTTPListener via listener.Prefixes.Add(https://localhost:8090/foldername/"");
tested an HTTP client connection, e.g. (http://localhost:8089/foldername/"") in a browser and receive correct return
tested an HTTPS client connection, e.g. (http://localhost:8090/foldername/"") in a browser and receive ""Data Transfer Interrupted"" (in Firefox)
debugging in visual studio shows that the listener callback that receives the requests never gets hit when the HTTPS connection starts - I don't see any place that I could set a breakpoint to catch anything else earlier.
netstat shows that listening ports are open for both HTTPS and HTTP. the HTTPS port does go to TIME_WAIT after a connection is attempted.
Fiddler and HTTPAnalyzer don't catch any of the traffic, I guess it doesn't get far enough in the process to show up in those HTTP analysis tools

Questions

What could the problem be?
Is there a piece of .Net code I am missing (meaning I have to do more in C# other than simply add a prefix to the listener that points to HTTPS, which is what i have done)
Have a missed a configuration step somewhere?
What else might I do to analyze the problem?
Is the error message in the System Event log a sign of the problem? If so how would it be fixed?"

Asked by: Guest | Views: 351
Total answers/comments: 3
Guest [Entry]

"You just have to bind a certificate to an ip:port and then open your listener with an https:// prefix. 0.0.0.0 applies to all ip's. appid is any random GUID, and certhash is the hash of the certificate (sometimes called a thumprint).
Run the following with cmd.exe using administrator privileges.
netsh http add sslcert ipport=0.0.0.0:1234 certhash=613bb67c4acaab06def391680505bae2ced4053b appid={86476d42-f4f3-48f5-9367-ff60f2ed2cdc}

If you want to create a self-signed certificate to test this,

Open IIS

Click on your computer name

Click Server Certificates icon

Click generate Self-Signed certificate

Double click and go to details

You will see the thumbprint there, just remove the spaces.
HttpListener listener = new HttpListener();
listener.Prefixes.Add(""https://+:1234/"");
listener.Start();
Console.WriteLine(""Listening..."");
HttpListenerContext context = listener.GetContext();

using (Stream stream = context.Response.OutputStream)
using (StreamWriter writer = new StreamWriter(stream))
writer.Write(""hello, https world"");

Console.ReadLine();

After running this program I just navigated to https://localhost:1234 to see the text printed. Since the certificate CN does not match the url and it is not in the Trusted Certificate store you will get a Certificate Warning. The text is encrypted however as you can verify with a tool like Wire Shark.
If you want more control over creating a self-signed x509 certificate openssl is a great tool and there is a port for windows. I've had a lot more success with it than the makecert tool.

It's also very important that to if you are communicating with an https service from code that has an ssl warning, you must setup the certificate validator on the service point manager to bypass it for testing purposes.
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true;"
Guest [Entry]

I don't have it entirely implemented yet, but this web site seems to give a good walkthrough of setting up the certificates and the code.
Guest [Entry]

"Here is an alternative way to bind the SSL certifiate to the IP/PORT combination without using httpcfg.exe (XP) or netsh.exe (Vista+).

http://dotnetcodebox.blogspot.com.au/2012/01/how-to-work-with-ssl-certificate.html

The gist of it is that you can use a C++ HttpSetServiceConfiguration API in-built into windows to do it programatically rather than via the command line, hence removing dependency on the OS and having httpcfg installed."