tags:

views:

413

answers:

5
+3  Q: 

Securing an ASP.NET Web Service using SSL, without dedicated IP address on the Server

I need to secure communication between my application and my Web Service. I own both the application and the Web Service, and I was wondering if it is possible to use HTTPS to do so.

I don't need a certificate to prove to myself who I really am (!), so I don't want to buy an SSL certificate from a Certificate Authority. I just need to make sure no one can intercept the data I pass as WebMethod parameters; Can I create a free certificate and use that to secure communication?

One other thing: I don't want to be forced to get a dedicated, public IP address for my Web Service since it is hosted on a shared Web server.

A: 

There are many articles out there showing how to create and install a self signed certificate in IIS. What you need to remember is that this certificate will not be valid as it is not delivered by a certificate authority. Once you set a certificate on the server side you need to indicate to the client to accept the invalid certificate by using the ServerCertificateValidationCallback property:

ServicePointManager.ServerCertificateValidationCallback = 
    (sender, certificate, chain, sslPolicyErrors) => true;
Darin Dimitrov  2010-02-21 15:39:39
But it still does secure the connection, yes? What about the public IP thing?
TheAgent  2010-02-21 15:42:46
A: 

You can't use a SSL certificate (self signed or otherwise) without a dedicated IP address. Unless your shared hosting provider provides a shared SSL certificate on your IP, you will need to purchase a dedicated IP.

Robert  2010-02-21 17:17:27
IP has nothing to do with SSL. SSL is secured through domain name. As long as the TTL on the DNS is kept short to prevent DNS caching of old IPs, there's no reason a non-dedicated IP can't be used for SSL.
Joel Etherton  2010-02-21 17:24:33
The SSL protocol is currently flawed and only allows you to use one certificate per IP address (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html.en#vhosts) If you are using a shared IP address, you will mostly likely not be able to install an SSL certificate to it because a web host won't let you.So, yes, it is technically possible to use SSL with a non-dedicated IP but it is unlikely on a shared IP.
Robert  2010-02-22 15:36:52
A: 

If you want to go through the trouble of doing it, you can use a self-signed certificate and have a tertiary server (or use the IIS server that is self-signing) to be your own certificate authority. This would allow you to generate your own certificate for free, then since you have control over the servers, you could just add your CA server as a trusted and intermediary root certificate authority.

Creating Certificate Authorities and self-signed SSL certificates

Joel Etherton  2010-02-21 17:27:14
+1  A: 

Definitely it's doable, but hinges on a few conditions.

  • Create your own self signed certificate. The lack of a certificate authority won't matter in your case because your app is your own consumer.
  • The host must allow you to configure your IIS site with an SSL cert. Hopefully the tools they provide are good enough.
  • The shared IP that your web site has currently cannot have more than one certificate bound to it. You're now at the mercy of your host to not move your site to a different IP. It may or may not have an SSL cert on another site at that time. Basically - the first one wins. An IP cannot have more than one cert-secured website.
p.campbell  2010-02-22 03:48:54
A: 

i need to find public ip address using .net

surya  2010-05-04 08:41:46

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?