I have an SSL-enabled Web service service (using OpenSSL). I would like to know the minimal I need to write a simple VB.NET client to access this HTTPS-based service. I have signed the Web service with a trusted root certificate, which I have installed on my .NET client. If I simply change the URL to use https://...., I get an Unknown Web Service exception. What do I need to do differently in my simple VB.NET client? There are a lot of little things that can go wrong, especially when you are setting up a system using heterogeneous security protocols, as in your case .NET and OpenSSL. I would advise walking before running with respect to working with SSL. There are a significant number of variables to consider. For example: The problem with jumping into OpenSSL is that it permits you to vary all these and more options. Determining which ones are acceptable to your client takes a little digging. Another problem is that the SSL protocol runs before your code is run and thus is difficult to debug. I would recommend that you take a step back and get your code running using the sample code that comes with Microsoft's WSE, which is downloadable from the Microsoft site. Take a look at the document, "Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication," which can be downloaded from Microsoft's MSDN Web site. This will give you step-by-step instructions for setting up an SSL connection. I would also advise using Visual Studio .NET 2003, if you are not already using it. Once you get the sample running and then modified to use your code, move on to introducing OpenSSL. I'm not sure whether you are using OpenSSL to just create your certificates and using .NET to handle the SSL or whether you have incorporated OpenSSL as the secure sockets layer in your service. If the former, your job will be easier as most of the compatible issues have been worked out. If the latter then you have to solve the incompatibles, a much harder job. Make sure that you are checking for errors in the client for certificate that is sent from the service, for example: You can also turn off the validation of the certificate by setting UseAuthentication = False. This will assure you that you are receiving the certificate but that validation is failing, bringing us back to tracing down any incompatibilities. Of course, when the system is in use validation must be turned on and working. Another big caveat, the WSE is an sdk and as such is not yet validated for production code.
- The client and server must support compatible encryption algorithms.
- The root certificate must be known and supported by the peer application.
- The location of the root certificate or chain must be known by the client and service.
- If sending the certificate chain, the type of container, e.g. PKCS7, for the certificate chain must be understood by both sides.
- If Not x.trustedRoot
- If Not x.validate
- If Not x.validName