HTTPs Listener

S Abijith 346 Reputation points
2024-01-19T10:31:42.5666667+00:00

Hi All, We have an HTTPs server application written in C# with .Net Framework 4.7. The application uses HTTPs Listener class to listen to incoming HTTPs requests.

In order to make HTTPs server work, we bind the certificate 'Thumbprint' in a batch file using the below commands:

netsh http add sslcert ipport=0.0.0.0:8443 certhash=16ac59e3ca7918e9cbcaa8463fc940f695c5d1e6 appid={42436dd1-f1d5-4885-9165-5c6fea1df0d4}

We observed the below scenarios while testing:

1)With a valid HTTPs server certificate installed, the server works as expected.

2)Without the certificate, we dont have a thumbprint and hence the HTTPs server application does not work.

3)After launching the server application, if we delete the certificate, the server is still working as expected even though the certificate doesnt exist. All file transfers work as expected.

We have a few questions under scenario 3:

1)What is the reason for the behavior observed in scenario 3 ??

2)Which certificate will be provided during exchange even though the the certificate doesnt exist?

3)Is any dummy certificate created by default which is provided during the certificate exchange?

Please let us know about this.

Any help is appreciated!!

Thank you in advance.

C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,573 questions
Accepted answer
  1. Pinaki Ghatak 2,795 Reputation points Microsoft Employee
    2024-02-01T12:14:31.44+00:00

    Hello @S Abijith Yes, it is mandatory to bind a server certificate (either self-signed or CA-signed) for an HTTPS server application to function as an HTTPS server. This is because HTTPS (HTTP Secure) is an extension of the HTTP protocol for secure communication over a computer network, and it widely used on the Internet.

    In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL

    The principal motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks. The binding of a server certificate is necessary because it’s the way a server identifies itself to the client. The certificate doesn’t need to be valid, i.e., the certificate doesn’t have to be issued and signed by a CA that the browser trusts by default. However, if the certificate is not valid, the user will be warned about the insecure connection and will have to manually accept the risk and proceed.

    As for your second question, there is no standard way for an HTTPS server application to run as an HTTPS server without using any server certificate. This is because the SSL/TLS protocol, which provides the security in HTTPS, requires a certificate for mutual authentication between the client and the server. Therefore, it is generally recommended to always use a server certificate when running an HTTPS server.

    Also please read here: https://video2.skills-academy.com/en-us/system-center/scom/configure-https-binding-windows-server-ca?view=sc-om-2022 I hope this answers your question?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 2,795 Reputation points Microsoft Employee
    2024-01-19T10:49:47.22+00:00

    Hello @S Abijith Based on the information you provided, it seems that the server is still working as expected even after the certificate is deleted because the server caches the certificate in memory. This means that the server will continue to use the cached certificate until it is restarted or the cache is cleared. As for your second question, the server will continue to provide the cached certificate during the exchange even though the certificate no longer exists in the certificate store. Regarding your third question, there is no dummy certificate created by default. The server will continue to use the cached certificate until it is restarted, or the cache is cleared.

    I hope this answers your question.