How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

Question

Most recent edits in bold I am using the .net HttpListener class, but I won\'t be running this application on IIS and am not using ASP.net. Th

Answer 1

I have a similar problem, and it seems that there could be a problem with certificate itself.

Here's the path that worked for me:

makecert.exe -r -a sha1 -n CN=localhost -sky exchange -pe -b 01/01/2000 -e 01/01/2050 -ss my -sr localmachine

then look up certificate thumbprint, copy it to the clipboard and remove spaces. This will be a parameter after -h in the next command:

HttpCfg.exe set ssl -i 0.0.0.0:801 -h 35c65fd4853f49552471d2226e03dd10b7a11755

then run a service host on https://localhost:801/ and it works perfectly.

what I cannot make work is for https to run on self-generated certificate. Here's the code I run to generate one (error handling taken out for clarity):

LPCTSTR pszX500 = subject;
DWORD cbEncoded = 0;
CertStrToName(X509_ASN_ENCODING, pszX500, CERT_X500_NAME_STR, NULL, pbEncoded, &cbEncoded, NULL);
pbEncoded = (BYTE *)malloc(cbEncoded);
CertStrToName(X509_ASN_ENCODING, pszX500, CERT_X500_NAME_STR, NULL, pbEncoded, &cbEncoded, NULL);

// Prepare certificate Subject for self-signed certificate
CERT_NAME_BLOB SubjectIssuerBlob;
memset(&SubjectIssuerBlob, 0, sizeof(SubjectIssuerBlob));
SubjectIssuerBlob.cbData = cbEncoded;
SubjectIssuerBlob.pbData = pbEncoded;

// Prepare key provider structure for self-signed certificate
CRYPT_KEY_PROV_INFO KeyProvInfo;
memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));
KeyProvInfo.pwszContainerName = _T("my-container");
KeyProvInfo.pwszProvName = NULL;
KeyProvInfo.dwProvType = PROV_RSA_FULL;
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
KeyProvInfo.cProvParam = 0;
KeyProvInfo.rgProvParam = NULL;
KeyProvInfo.dwKeySpec = AT_SIGNATURE;

// Prepare algorithm structure for self-signed certificate
CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
memset(&SignatureAlgorithm, 0, sizeof(SignatureAlgorithm));
SignatureAlgorithm.pszObjId = szOID_RSA_SHA1RSA;

// Prepare Expiration date for self-signed certificate
SYSTEMTIME EndTime;
GetSystemTime(&EndTime);
EndTime.wYear += 5;

// Create self-signed certificate
pCertContext = CertCreateSelfSignCertificate(NULL, &SubjectIssuerBlob, 0, &KeyProvInfo, &SignatureAlgorithm, 0, &EndTime, 0);
hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");
CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, 0);

Certificate shows fine and it has a working private key, but https will timeout as if thumbprint was never registered. If anyone knows why - plz comment

EDIT1: After some playing around, I have found the initialization for CertCreateSelfSignCertificate which generates proper certificate:

CRYPT_KEY_PROV_INFO KeyProvInfo;
memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));
KeyProvInfo.pwszContainerName = _T("my-container");
KeyProvInfo.pwszProvName = _T("Microsoft RSA SChannel Cryptographic Provider");
KeyProvInfo.dwProvType = PROV_RSA_SCHANNEL;
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
KeyProvInfo.cProvParam = 0;
KeyProvInfo.rgProvParam = NULL;
KeyProvInfo.dwKeySpec = AT_KEYEXCHANGE;

Answer 2

You just have to bind a certificate to an ip:port and then open your listener with an https:// prefix. 0.0.0.0 applies to all ip's. appid is any random GUID, and certhash is the hash of the certificate (sometimes called a thumprint).

Run the following with cmd.exe using administrator privileges.

netsh http add sslcert ipport=0.0.0.0:1234 certhash=613bb67c4acaab06def391680505bae2ced4053b  appid={86476d42-f4f3-48f5-9367-ff60f2ed2cdc}

If you want to create a self-signed certificate to test this,

1. Open IIS

2. Click on your computer name

3. Click Server Certificates icon

4. Click generate Self-Signed certificate

5. Double click and go to details

6. You will see the thumbprint there, just remove the spaces.

    HttpListener listener = new HttpListener();
    listener.Prefixes.Add("https://+:1234/");
    listener.Start();
    Console.WriteLine("Listening...");
    HttpListenerContext context = listener.GetContext();
   
    using (Stream stream = context.Response.OutputStream)
    using (StreamWriter writer = new StreamWriter(stream))
        writer.Write("hello, https world");
   
    Console.ReadLine();
   

After running this program I just navigated to https://localhost:1234 to see the text printed. Since the certificate CN does not match the url and it is not in the Trusted Certificate store you will get a Certificate Warning. The text is encrypted however as you can verify with a tool like Wire Shark.

If you want more control over creating a self-signed x509 certificate openssl is a great tool and there is a port for windows. I've had a lot more success with it than the makecert tool.

---

It's also very important that to if you are communicating with an https service from code that has an ssl warning, you must setup the certificate validator on the service point manager to bypass it for testing purposes.

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true;

Answer 3

I've encountered the same issue as you. Fortunately after googling hard steps on this page make SSL working with my HttpListener.

Answer 4

The class documentation

has this note:

If you create an HttpListener using https, you must select a Server Certificate for that listener. Otherwise, an HttpWebRequest query of this HttpListener will fail with an unexpected close of the connection.

and this:

You can configure Server Certificates and other listener options by using HttpCfg.exe. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/http/http/httpcfg_exe.asp for more details. The executable is shipped with Windows Server 2003, or can be built from source code available in the Platform SDK.

Is the first note explained by the second? As outlined in the question, I used httpcfg.exe to bind the certificate to a specific port. If they intend something other than this, the note is ambiguous.

Answer 5

Here is an alternative way to bind the SSL certifiate to the IP/PORT combination without using httpcfg.exe (XP) or netsh.exe (Vista+).

http://dotnetcodebox.blogspot.com.au/2012/01/how-to-work-with-ssl-certificate.html

The gist of it is that you can use a C++ HttpSetServiceConfiguration API in-built into windows to do it programatically rather than via the command line, hence removing dependency on the OS and having httpcfg installed.

Answer 6

I don't have it entirely implemented yet, but this web site seems to give a good walkthrough of setting up the certificates and the code.