Cowboy in the desert.

Halibut: a secure communication stack for .NET/Mono

March 5, 2013

I recently wrote an article on CodeProject about Halibut, an open source, secure alternative to WCF. Halibut came about when I looked at what it would take to enable the Octopus Tentacle agent service to run under Mono.

As an automated deployment tool, Octopus needs to be able to push packages and configuration information to machines that might be on the local network or in the cloud. To do this securely, users of Octopus establish a two-way trust relationship.

In Octopus Deploy, we use X.509 certificates with WCF's wsHttpBinding stack. When the connection is established, each side verifies the thumbprint of the certificate presented by the other party. If the public key isn't what we expect, we reject the connection.

In a future release, we'd love to add Mono support to Octopus, so that we can deploy packages to Linux and other Unix-like operating systems. But there's a problem: WCF's wsHttpBinding isn't supported on Mono.

Faced with this problem, we needed to come up with an alternative communication stack.

Running Tentacles on Mono would be great. Some things would need to be different, of course. For example, instead of invoking PowerShell scripts, we'd probably invoke shell scripts, passing Octopus variables as environment variables. But if we can replace WCF as the communication stack, we'd be well on the way.

Switching communication stacks is a little tricky, especially since Octopus will need to speak the old protocol to upgrade existing agents to the new protocol. I'm hoping we'll be able to do this transparently in a future release, probably around Octopus 2.0.

Tagged with: Architecture