Sunday, November 11, 2007

Part 1- Securing Client Stream with SSL


Most of the communications outside of your home network are secured and encrypted. The most popular kind of a secured communication today is the SSL. In most cases it is not even required to do any configuration for the end user.

Let's assume: we have a server that requires that all the incoming connections be secured with SSL. The following post shows an example of how this can be accomplished.

I'll show you the implementation by securing the POP3 communication while retrieving e-mails from the Gmail POP3 servers by the POP3 tunneling client. This client was introduced by Bart De Smet in this series of posts:
Pop3 Tunneling

Note that authentication of the client is optional. This allows us to use the SSL only for the channel encryption without any client authentication and authorization. This is why the HTTPS (HTTP over SSL) is widely popular - the end users are not required to issue and configure their own certificates and the server-side issued certificates are used to encrypt the traffic.

   1:  // The following method is invoked by the RemoteCertificateValidationDelegate.
2: private bool ValidateServerCertificate(
3: object sender,
4: X509Certificate certificate,
5: X509Chain chain,
6: SslPolicyErrors sslPolicyErrors)
7: {
8: if (sslPolicyErrors == SslPolicyErrors.None)
9: return true;
10:
11: Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
12:
13: // Do not allow this client to communicate with unauthenticated servers.
14: return false;
15: }
16:
17: SslStream sslStream = new SslStream(client.GetStream(), false,
18: new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
19: sslStream.AuthenticateAsClient(server);
20: stream = sslStream;


The modified Pop3Client (Pop3ClientSecured) code can be downloaded here. The package includes a test application as well, so you're welcome to try it against your Gmail account (if you have it or any other POP3 account).

No comments: