How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

Question

Most recent edits in bold I am using the .net HttpListener class, but I'm won't be running on IIS and am not using ASP.net. This web site describes what code to actual use to implement SSL with asp.net and this site describes how to set up the certificates (although I'm not sure if it works only for IIS or not).

When I the class documentation, it describes various types of authentication (basic, digest, Windows, etc.) - none of them refer to SSL. It does say that if HTTPS is used, you will need to set a server certificate. Is this going to be a one line property setting and HttpListener figures out the rest?

In short, I need to know how to set up the certificates and how to modify the code to implement ssl.

Although it doesn't occur when I'm trying to access HTTPS, I did notice an error in my System Event log - the source is "Schannel" and the content of the message is:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.

Edit:
Steps taken so far

• Created a working HTTPListener in C# that works for HTTP connections (e.g. "http://localhost:8089/foldername/"
• Created a certificate using makecert.exe
• Added the certificate to be trusted using certmgr.exe
• Used Httpcfg.exe to listen for SSL connections on a test port (e.g. 8090)
• Added port 8080 to the HTTPListener via listener.Prefixes.Add(https://localhost:8090/foldername/");
• tested an HTTP client connection, e.g. (http://localhost:8089/foldername/") in a browser and receive correct return
• tested an HTTPS client connection, e.g. (http://localhost:8090/foldername/") in a browser and receive "Data Transfer Interrupted" (in Firefox)
• debugging in visual studio shows that the listener callback that receives the requests never gets hit when the HTTPS connection starts - I don't see any place that I could set a breakpoint to catch anything else earlier.
• netstat shows that listening ports are open for both HTTPS and HTTP. the HTTPS port does go to TIME_WAIT after a connection is attempted.
• Fiddler and HTTPAnalyzer don't catch any of the traffic, I guess it doesn't get far enough in the process to show up in those HTTP analysis tools

Questions

• What could the problem be?
• Is there a piece of .Net code I am missing (meaning I have to do more in C# other than simply add a prefix to the listener that points to HTTPS, which is what i have done)
• Have a missed a configuration step somewhere?
• What else might I do to analyze the problem?
• Is the error message in the System Event log a sign of the problem? If so how would it be fixed?

Answer 1

I don't have it entirely implemented yet, but this web site seems to give a good walkthrough of setting up the certificates and the code.

Answer 2

This post describes the same problem I'm having. A couple of solutions were offered, but there was not follow up. I'll check into that.

Answer 3

The class documentation

has this note:

If you create an HttpListener using https, you must select a Server Certificate for that listener. Otherwise, an HttpWebRequest query of this HttpListener will fail with an unexpected close of the connection.

and this:

You can configure Server Certificates and other listener options by using HttpCfg.exe. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/http/http/httpcfg_exe.asp for more details. The executable is shipped with Windows Server 2003, or can be built from source code available in the Platform SDK.

Is the first note explained by the second? As outlined in the question, I used httpcfg.exe to bind the certificate to a specific port. If they intend something other than this, the note is ambiguous.

Answer 4

Is this question not receiving attention because...

1. it's not precise enough
2. not detailed enough
3. it's about an obscure, niche area
4. it's hard
5. or something else?

If it's 1, 2, or 5, let me know so I can correct it. Otherwise, I was thinking - it's not a bad thing for this to hang around, however if it's simply a niche or obscure problem - there should be a way to keep it in the queue. We the "unanswered questions" query, which is good - but what happens if two months from now it's still unanswered? With that in mind, I proposed a feature request that the oldest of unanswered questions have a special incentive attached to them for correct answers. If it sounds good to you, vote on uservoice.

Answer 5

I've encountered the same issue as you. Fortunately after googling hard steps on this page http://answers.google.com/answers/threadview?id=735306 make SSL working with my HttpListener.

Answer 6

I have a similar problem, and it seems that there could be a problem with certificate itself.

Here's the path that worked for me:

makecert.exe -r -a sha1 -n CN=localhost -sky exchange -pe -b 01/01/2000 -e 01/01/2050 -ss my -sr localmachine

then look up certificate thumbprint, copy it to the clipboard and remove spaces. This will be a parameter after -h in the next command:

HttpCfg.exe set ssl -i 0.0.0.0:801 -h 35c65fd4853f49552471d2226e03dd10b7a11755

then run a service host on https://localhost:801/ and it works perfectly.

what I cannot make work is for https to run on self-generated certificate. Here's the code I run to generate one (error handling taken out for clarity):

 LPCTSTR pszX500 = subject;
 DWORD cbEncoded = 0;
 CertStrToName(X509_ASN_ENCODING, pszX500, CERT_X500_NAME_STR, NULL, pbEncoded, &cbEncoded, NULL);
 pbEncoded = (BYTE *)malloc(cbEncoded);
 CertStrToName(X509_ASN_ENCODING, pszX500, CERT_X500_NAME_STR, NULL, pbEncoded, &cbEncoded, NULL);

 // Prepare certificate Subject for self-signed certificate
 CERT_NAME_BLOB SubjectIssuerBlob;
 memset(&SubjectIssuerBlob, 0, sizeof(SubjectIssuerBlob));
 SubjectIssuerBlob.cbData = cbEncoded;
 SubjectIssuerBlob.pbData = pbEncoded;

 // Prepare key provider structure for self-signed certificate
 CRYPT_KEY_PROV_INFO KeyProvInfo;
 memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));
 KeyProvInfo.pwszContainerName = _T("my-container");
 KeyProvInfo.pwszProvName = NULL;
 KeyProvInfo.dwProvType = PROV_RSA_FULL;
 KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
 KeyProvInfo.cProvParam = 0;
 KeyProvInfo.rgProvParam = NULL;
 KeyProvInfo.dwKeySpec = AT_SIGNATURE;

 // Prepare algorithm structure for self-signed certificate
 CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
 memset(&SignatureAlgorithm, 0, sizeof(SignatureAlgorithm));
 SignatureAlgorithm.pszObjId = szOID_RSA_SHA1RSA;

 // Prepare Expiration date for self-signed certificate
 SYSTEMTIME EndTime;
 GetSystemTime(&EndTime);
 EndTime.wYear += 5;

 // Create self-signed certificate
 pCertContext = CertCreateSelfSignCertificate(NULL, &SubjectIssuerBlob, 0, &KeyProvInfo, &SignatureAlgorithm, 0, &EndTime, 0);
 hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");
 CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, 0);

Certificate shows fine and it has a working private key, but https will timeout as if thumbprint was never registered. If anyone knows why - plz comment

EDIT1: After some playing around, I have found the initialization for CertCreateSelfSignCertificate which generates proper certificate:

 CRYPT_KEY_PROV_INFO KeyProvInfo;
 memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));
 KeyProvInfo.pwszContainerName = _T("my-container");
 KeyProvInfo.pwszProvName = _T("Microsoft RSA SChannel Cryptographic Provider");
 KeyProvInfo.dwProvType = PROV_RSA_SCHANNEL;
 KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
 KeyProvInfo.cProvParam = 0;
 KeyProvInfo.rgProvParam = NULL;
 KeyProvInfo.dwKeySpec = AT_KEYEXCHANGE;