We have an upcoming project to allow an old platform that's only extensible with C++ / VS 2003 to call a SOAP-based web service that uses WS-Security.
My Google research indicates that gSOAP could be the best way to go.
I'm looking for validation and/or alternative suggestions.
I've been using gSoap with the wsse plugin for WS-Security using signatures on both the client and server side for both Windows and Linux. It took some doing, but it works well. It is extremely fast too.
It will require you to link OpenSSL with your project. I actually found a bug in the wsse plugin a few releases back that involved direct calls to OpenSSL for signature generation and validation. All of the bugs involved leaking OpenSSL structures. (The fixes were accepted into the source tree and are part of the current release.)
Overall, it really wasn't that difficult to get going. I used SoapUI (http://www.soapui.org/) to troubleshoot the signature generation when trying to validate if I was doing something wrong or the remote end was having issues.
If you're doing server side WS-Security under Apache2, you'll have to stick with the mod_gsoap 0.6 that comes with gSoap. I had to modify it a bit because it won't deal with WS-Security by default.
I believe, but didn't do a lot of investigation, that someone broke mod_gsoap 0.7 that is the current release available at SourceForge. It took me a while to figure out that 0.7 was segfaulting apache2, so maybe this will save you some pain.