2

I'm actually trying to expose some methods of an ASP.NET MVC specific controller, in order to secure sensitive calls.

The entire website doesn't have to be protected by a specific SSL certificate, but some requests are.

Here is my code (as simple as it is) to get "Data", as you can see, I first check the SSL certificate, then the process continues if the SSL Certificate is correct :

public string GetData()
{
    try
    {
        var certificate = Request.ClientCertificate;

        if (certificate == null || string.IsNullOrEmpty(certificate.Subject))
        {
            // certificate may not be here
            throw new Exception("ERR_00_NO_SSL_CERTIFICATE");
        }

        if (!certificate.IsValid || !IsMyCertificateOK(certificate))
        {
            // certificate is not valid
            throw new Exception("ERR_01_WRONG_SSL_CERTIFICATE");
        }

        // Actions here ...
    }
    catch (Exception)
    {
        Response.StatusCode = 400;
        Response.StatusDescription = "Bad Request";
    }

}

Here is my IIS configuration :

SSL Configuration in IIS

SSL Certificate is set to "Accept", thus, I hope I could get the client certificate in the Request.ClientCertificate property, but it's never the case, I never get the certificate set in my client.

Here is my client code (copied from generated Postman C# code) :

string PFX_PATH = @"C:\Test\test.pfx"; // set here path of the PFX file
string PFX_PASSWORD = "password"; // set here password of the PFX file

var client = new RestClient("https://mywebsite.com/GetData?input=test");
client.Timeout = -1;

client.ClientCertificates = new System.Security.Cryptography.X509Certificates.X509CertificateCollection()
{
    new System.Security.Cryptography.X509Certificates.X509Certificate(PFX_PATH,
    PFX_PASSWORD,
    System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable)
};

var request = new RestRequest(Method.GET);
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);

The PFX file has a private key, and is accessible from client side.

Am I missing something regarding the IIS configuration, or should I update my web.config somehow ?

Thordax
  • 1,673
  • 4
  • 28
  • 54
  • instead of using restclient if you use MS httpclient, this article may help you to complete the task https://stackoverflow.com/questions/40014047/add-client-certificate-to-net-core-httpclient – coder_b Dec 08 '20 at 22:09
  • using IIS, go to Server Certificates-> Import. Use the PFX file and password. – ian Jan 18 '21 at 05:33
  • Requests to `mywebsite.com` goes directly to your IIS or is there something between the client and IIS? – Matteo Umili Jan 18 '21 at 14:24
  • Thanks @coder_b, the problem is the same, as I'm using Postman, cURL or openssl s_client command line, so I guess the error is server side. @ ian, I already added the certificate, but it doesn't change anything. @ Matteo there may be a proxy between the client and the server so the problem may be between server and client. – Thordax Jan 18 '21 at 14:36
  • from the source code GetData(), please say exactly which statement returns false or bad value, it's unclear whether your validation fails or it's just not there – Roman Polunin Jan 22 '21 at 06:28
  • Also, do NOT import the PFX on the server side. Server is not supposed to have client's private key. – Roman Polunin Jan 22 '21 at 06:28
  • Also, check this: https://stackoverflow.com/questions/39528973/force-httpwebrequest-to-send-client-certificate – Roman Polunin Jan 22 '21 at 06:30
  • 1. Show us your IIS bindings – Kristóf Tóth Jan 22 '21 at 11:26
  • 2. Is the request hitting the endpoint? – Kristóf Tóth Jan 22 '21 at 11:27

0 Answers0