Consuming a WCF Service with Monotouch via SSL (https) + basicHttpBinding - iphone

I'm currently writing a iphone app which will consume WCF services over a secure connection (SSL/https). I have managed to consume this service while testing locally via http.
Now we want to make sure the service is secure, so we've set up a UAT server with a properly signed certificate to run our tests.
We are using a custom binding, coupled with security mode TransportWithMessageCredentials which requires a username/password in the ClientCredentials property.
Generated the proxy using SISvcUtil.exe
When I try to call this secure service from the iPhone, I get a rather lovely generic error of:
Exception in async operation: System.Net.WebException: There was an error on processing web request: Status code 500(internal server error)
(Here is a pastebin of full exception ).
I've tried implicitly accepting the certificate using:
ServicePointManager.ServerCertificateValidationCallBack = (sender, cert, chain, ssl) => true;
but this just returns the same 500 error.
The same code works great on a windows machine but not on the iphone. Has anyone else come across this problem and/or know of a solution to it?

This could be a bug in monotouch, it may not have full implementation of generated proxy using SISvcUtil.exe, did you try generating a mac app and test it on mac?
Does monotouch have any documented example with support on WCF proxy? If they dont have then probably it may not work, monotouch does not provide a .NET runtime, instead it actually compiles everything to native ios binary. So if WCF proxy is not correctly transformed, it will not work.

So it would seem that at the time of writing, Monotouch doesn't support WCF very well (it currently has a barebones implementation).
Due to this, and the need for decent security around our webservice, we've decided to go down a different route; validating the user via username+password over a secure, encrypted SSL connection everytime the web service is called. We use Silverlight 3.0 SiSUtil.exe to generate the bindings for the webservice rather than include it as a web reference in the project.

Generally when getting Internal Server errors I've found the cause to be a problem with the HTTP headers being sent in the request. I don't really use WCF on MonoTouch so I'm not sure about the implementation.

Related

Trace HTTPS Web API calls from iPhone App

I am working with an iPhone application which interacts with a Web API. Since the endpoints are HTTPS, the data which communicates in-between the device and the Web API are suppose to be encrypted.
I am in need of finding every End-Points and the Data which communicates (Headers, Body Content) for each business scenario & for negative testing-flows.
Since the data which transmits are encrypted, I was unable to trace from the Fiddler which I tried while referring so several on-line tutorials.
(The reason why I am in need is because of I have got assigned to make a API Automation tool to simulate all the testing scenarios (happy-path, negative test-cases, etc))
Is there any better approach I can take to trace these API calls?
OR, is there a tool which I can try to trace these Web API calls which sends and receives from the iPhone?
TIA
Managed to get the Certificates for the HTTPS endpoints and added to the Certificate Manager (in a windows pc). Afterwards configured the proxy ports with fiddler echo service from the mobile device and was able to trace the HTTPs calls.
With the help of installing the certificates the HTTPS, intercepting the HTTPS is possible.

Local WSDL vs downloaded remotely from server?

I was recently working quite a lot on SOAP web services and one question bothers me in that context. What would be better?
A. Get the WSDL and store it locally on client side and then only make calls to the service
if server keeps backward compatibility the client will still work with the old WSDL even when server side provided new version (of service and WSDL).
you are not able to get endpoint URL from WSDL so if service endpoint location has changed (but WSDL not) you need to reconfigure the client.
no additional call to the server
B. Use WSDL location as remote resource (HTTP) and download WSDL each time client instance is created?
What are some pros and cons?
Which is better depends on your setup and your needs but personally I would prefer having the WSDL locally, inside the client for these reasons:
no extra call to the server to get the WSDL (as you mentioned);
if server keeps backward compatibility the local WSDL will still be OK to use (as you mentioned);
if the service WSDL changes in an incompatible way and your client suddenly starts to fail you still have the old WSDL locally and you can compare it with the new one to see what's different.
The following point is usually not an issue:
you are not able to get endpoint URL from WSDL so if service endpoint location has changed (but WSDL not) you need to reconfigure the client.
The endpoint URL in the WSDL is not always correct and even if it was, you normally have the WSDL accessible at the same URL as the service by just sticking a ?wsdl parameter after it so if the location changes you won't find the service but you wont find the WSDL either. The service endpoint URL needs to be configurable in your client anyways.

Is there any setting in IIS/machine.config that could prevent my application from making REST requests?

I'm facing a funny issue here.
I got a C# Webforms application running on IIS6. When the user clicks on a certain link, my app makes a REST call to a webservice hosted in the cloud. This call, made by the app running on IIS, fails. We get a WebException, with the message "no response from server".
However, if I try to connect to the same web service, from the same machine, with the same credentials, using SoapUI, the call succeeds. So I guess this means that I can rule out firewall issues, credential issues, and availability of the service.
The code has been tested on numerous other machines (dev, test, staging...), and it worked successfully, so the code itself should not be an issue. I think it's an environmental issue (a setting on web.config or machine.config which prevents outgoing requests).
Any idea as to what that could be?
Thanks!
The reason our REST calls were failing was that we were missing an SSL certificate.
We were trying to make the REST call using HTTPS. The REST service provider's SSL certificate was signed by a well-known CA. However, our server apparently had a hardened build, and the CA's certificate was missing from the certificate repository. Hence, the provider's SSL certificate was considered unsafe.
Sadly, the .Net framework exception had no useful information about this.
We installed the CA's certificate and the issue was fixed.

HTTPS requests sent with ASIHTTPRequest return a NULL response

I am developing an iPad application and using the ASIHTTPRequest library (https://github.com/pokeb/asi-http-request) to make requests to my web server, which runs CentOS 6.2 and is equipped with Apache 2.2 and mod_ssl enabled.
When I make an HTTPS request to the server, sometimes I get a null response. Absolutely nothing. As if the server were completely dead. Sometimes it works just fine, returning the expected response. There is no rhyme or reason to when the response is null and when it's fine.
The server uses a dummy security certificate
I am setting validatesSecurityCertificate to NO
I am setting SSLVerifyClient to none in httpd.conf
Note, HTTPS requests sent through a web browser work fine (after you tell it to proceed without a security certificate). But, all HTTPS requests sent through HTTP Client: ((Zero-length response returned from the server.))
The trick to using ASIHTTPRequest well is that you dont use it. Its deprecated by its author allseeing-i.com/ASIHTTPRequest . I suggest using AFNetworking, RESTKit or even NSURLConnection.
As it is we have no code of yours to see, but when experiencing random issues with a library that hasn't been worked on in years I would say to start by using a different library.

ignoring Https SSL exception on iphone

I have a self signed SSL certificate serving out my test enviroment. I would like to do some testing connecting to the service from my iphone however, the SSL exception is causing an error.
Is there a way to ignore the SSL exception on the iPhone?
Edit:
I should have added a bit more detail, the answers below will work hoever if i can get it to work inside NSXMLParser that would be even better.
If you're only testing, you can use the private setAllowsAnyHTTPSCertificate:forHost: method on NSURLRequest. Otherwise, I'd recommend using the ASIHTTPRequest library which provides a great high-level API to the CFNetwork APIs, including the ability to use self-signed certificates. The method you're looking for is setValidatesSecureCertificate:.