WCF Questions - In Depth - C#
-
Hi, Scenario: Windows forms application is the client talking to a WCF service exchanging sensitive data in both directions 1. Transport Security • SSL using server certificate with Anonymous client authentication - is encryption of message optional? o What ensures that the message is definitely encrypted? o Symmetric key is negotiated for message encryption, but what controls the strength of this key 128-bit / 256-bit etc.? • If an additional layer of custom encryption/decryption logic is implemented along with SSL, specifically for message security, are there any drawbacks? 2. Message Security • When message security is enabled over HTTP (no SSL) and a server certificate is provided in the configurations, how is the message encrypted/decrypted - with what key and how is the key exchanged? • When message security is enabled over HTTPS (with SSL certificate) is the encryption/decryption happening twice? o Is it possible to configure an Anonymous client (no client certificate/authentication) in this scenario? o Is it possible to configure different certificates for SSL negotiation and for message encryption/decryption? o What key used for message encryption - same as SSL negotiated key or new key based on the provided certificate? 3. SSL Server Certificate Validation by client • By default, client validates the certificate during initial handshake - what all information of the certificate, exactly are validated and what are not validated? This validation is done by whom – .NET framework on the client or the OS itself? o How different is this validation, from X509Certificate2.Verify() method call on the certificate, if done explicitly? • In client code, if the callback to ServicePointManager.ServerCertificateValidationCallback delegate is registered, does this method get called before or after the automatic validation of server certificate? Thanks in advance for your help.