R
radek.raszka
Guest
Hello,
we have system, which utilizes several WCF service hosted in Windows service. These services include OData service and REST JSON service. So far services were called using BasicHttBinding or WebHttBinding with no security. All worked well, nothing to complain.
However now we faced requirement to publish all services over https. Not hard, solution is as described here or here. What was strange, I wasn't able to bind certificate using netsh, only httpcfg worked (OS is Windows 10 version 1703). After some elaboration I was able to run server side and make all services to run over https. However I'm not able to consume them! When I'm initializing connection to service, I always get error: Could not create SSL/TLS secure channel.
I was searching for solution, mostly they mention something like this, but it doesn't help in any way. Problem is not in certificate validation - callback for server certificate validation is never called, so problem occurs before certificate is known.
I did some tests with JSON service - tried to call simple method without parameters using WebClient class or through WCF service reference, result is same for both methods - works over http, fails with "Could not create SSL/TLS secure channel." over https.
What is interesting, I can access OData service or JSON's metadata page (https://radovan:8001/ExternalConnector?wsdl) using web browser (!). Internet explorer works with no problem, Firefox complains about invalid certificate. Message is:
The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. The certificate is only valid for .
Certificate is testing certificate created by makecert with self-signed CA. I'm not sure, whether this can be core of the problem - when I add exception, it works (however I'm not able to add service reference to this service over https - well known "Could not create SSL/TLS secure channel." error is raised). Based on what Firefox shows, TLS 1.2 is in use.
Can anyone advise where to search for problem?
I also tried to log communication with service using WebClient, log is here
System.Net Information: 0 : [21792] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [21792] Entering WebClient#3741682:
ownloadString(https://radovan:8001/ExternalConnector/GetServerTime#-953782673)
System.Net Verbose: 0 : [21792] Entering WebClient#3741682:ownloadData(https://radovan:8001/ExternalConnector/GetServerTime#-953782673)
System.Net Verbose: 0 : [21792] Entering WebRequest::Create(https://radovan:8001/ExternalConnector/GetServerTime)
System.Net Verbose: 0 : [21792] Entering HttpWebRequest#33675143::HttpWebRequest(https://radovan:8001/ExternalConnector/GetServerTime#-953782673)
System.Net Information: 0 : [21792] RAS supported: True
System.Net Verbose: 0 : [21792] Exiting HttpWebRequest#33675143::HttpWebRequest()
System.Net Verbose: 0 : [21792] Exiting WebRequest::Create() -> HttpWebRequest#33675143
System.Net Verbose: 0 : [21792] Entering HttpWebRequest#33675143::GetResponse()
System.Net Error: 0 : [21792] Can't retrieve proxy settings for Uri 'https://radovan:8001/ExternalConnector/GetServerTime'. Error code: 12180.
System.Net Verbose: 0 : [21792] Entering ServicePoint#43332040::ServicePoint(radovan:8001)
System.Net Information: 0 : [21792] Associating HttpWebRequest#33675143 with ServicePoint#43332040
System.Net Information: 0 : [21792] Associating Connection#54444047 with HttpWebRequest#33675143
System.Net Information: 0 : [21792] Connection#54444047 - Created connection from [::1]:60718 to [::1]:8001.
System.Net Information: 0 : [21792] TlsStream#20234383::.ctor(host=radovan, #certs=0, checkCertificateRevocationList=False, sslProtocols=Default, Tls11, Tls12)
System.Net Information: 0 : [21792] Associating HttpWebRequest#33675143 with ConnectStream#47891719
System.Net Information: 0 : [21792] HttpWebRequest#33675143 - Request: GET /ExternalConnector/GetServerTime HTTP/1.1
System.Net Information: 0 : [21792] ConnectStream#47891719 - Sending headers
{
Host: radovan:8001
Connection: Keep-Alive
}.
System.Net Information: 0 : [21792] SecureChannel#28372289::.ctor(hostname=radovan, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [21792] Enumerating security packages:
System.Net Information: 0 : [21792] Negotiate
System.Net Information: 0 : [21792] NegoExtender
System.Net Information: 0 : [21792] Kerberos
System.Net Information: 0 : [21792] NTLM
System.Net Information: 0 : [21792] TSSSP
System.Net Information: 0 : [21792] pku2u
System.Net Information: 0 : [21792] CloudAP
System.Net Information: 0 : [21792] WDigest
System.Net Information: 0 : [21792] Schannel
System.Net Information: 0 : [21792] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [21792] Default TLS SSP
System.Net Information: 0 : [21792] CREDSSP
System.Net Information: 0 : [21792] SecureChannel#28372289 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [21792] SecureChannel#28372289::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Ssl3Client, Tls10Client, Tls11Client, Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [21792] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [21792] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = radovan, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [21792] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=163, returned code=ContinueNeeded).
System.Net Information: 0 : [21792] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 24528dc0b30:1bbff547260, targetName = radovan, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [21792] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=InvalidToken).
System.Net Error: 0 : [21792] Exception in HttpWebRequest#33675143:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [21792] Exception in HttpWebRequest#33675143::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Verbose: 0 : [21792] Entering HttpWebRequest#33675143::Abort()
System.Net Error: 0 : [21792] Exception in HttpWebRequest#33675143:: - The request was aborted: The request was canceled..
System.Net Verbose: 0 : [21792] Exiting HttpWebRequest#33675143::Abort()
thanks in advance, Radovan
Continue reading...
we have system, which utilizes several WCF service hosted in Windows service. These services include OData service and REST JSON service. So far services were called using BasicHttBinding or WebHttBinding with no security. All worked well, nothing to complain.
However now we faced requirement to publish all services over https. Not hard, solution is as described here or here. What was strange, I wasn't able to bind certificate using netsh, only httpcfg worked (OS is Windows 10 version 1703). After some elaboration I was able to run server side and make all services to run over https. However I'm not able to consume them! When I'm initializing connection to service, I always get error: Could not create SSL/TLS secure channel.
I was searching for solution, mostly they mention something like this, but it doesn't help in any way. Problem is not in certificate validation - callback for server certificate validation is never called, so problem occurs before certificate is known.
I did some tests with JSON service - tried to call simple method without parameters using WebClient class or through WCF service reference, result is same for both methods - works over http, fails with "Could not create SSL/TLS secure channel." over https.
What is interesting, I can access OData service or JSON's metadata page (https://radovan:8001/ExternalConnector?wsdl) using web browser (!). Internet explorer works with no problem, Firefox complains about invalid certificate. Message is:
The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. The certificate is only valid for .
Certificate is testing certificate created by makecert with self-signed CA. I'm not sure, whether this can be core of the problem - when I add exception, it works (however I'm not able to add service reference to this service over https - well known "Could not create SSL/TLS secure channel." error is raised). Based on what Firefox shows, TLS 1.2 is in use.
Can anyone advise where to search for problem?
I also tried to log communication with service using WebClient, log is here
System.Net Information: 0 : [21792] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [21792] Entering WebClient#3741682:
ownloadString(https://radovan:8001/ExternalConnector/GetServerTime#-953782673)System.Net Verbose: 0 : [21792] Entering WebClient#3741682:
ownloadData(https://radovan:8001/ExternalConnector/GetServerTime#-953782673)System.Net Verbose: 0 : [21792] Entering WebRequest::Create(https://radovan:8001/ExternalConnector/GetServerTime)
System.Net Verbose: 0 : [21792] Entering HttpWebRequest#33675143::HttpWebRequest(https://radovan:8001/ExternalConnector/GetServerTime#-953782673)
System.Net Information: 0 : [21792] RAS supported: True
System.Net Verbose: 0 : [21792] Exiting HttpWebRequest#33675143::HttpWebRequest()
System.Net Verbose: 0 : [21792] Exiting WebRequest::Create() -> HttpWebRequest#33675143
System.Net Verbose: 0 : [21792] Entering HttpWebRequest#33675143::GetResponse()
System.Net Error: 0 : [21792] Can't retrieve proxy settings for Uri 'https://radovan:8001/ExternalConnector/GetServerTime'. Error code: 12180.
System.Net Verbose: 0 : [21792] Entering ServicePoint#43332040::ServicePoint(radovan:8001)
System.Net Information: 0 : [21792] Associating HttpWebRequest#33675143 with ServicePoint#43332040
System.Net Information: 0 : [21792] Associating Connection#54444047 with HttpWebRequest#33675143
System.Net Information: 0 : [21792] Connection#54444047 - Created connection from [::1]:60718 to [::1]:8001.
System.Net Information: 0 : [21792] TlsStream#20234383::.ctor(host=radovan, #certs=0, checkCertificateRevocationList=False, sslProtocols=Default, Tls11, Tls12)
System.Net Information: 0 : [21792] Associating HttpWebRequest#33675143 with ConnectStream#47891719
System.Net Information: 0 : [21792] HttpWebRequest#33675143 - Request: GET /ExternalConnector/GetServerTime HTTP/1.1
System.Net Information: 0 : [21792] ConnectStream#47891719 - Sending headers
{
Host: radovan:8001
Connection: Keep-Alive
}.
System.Net Information: 0 : [21792] SecureChannel#28372289::.ctor(hostname=radovan, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [21792] Enumerating security packages:
System.Net Information: 0 : [21792] Negotiate
System.Net Information: 0 : [21792] NegoExtender
System.Net Information: 0 : [21792] Kerberos
System.Net Information: 0 : [21792] NTLM
System.Net Information: 0 : [21792] TSSSP
System.Net Information: 0 : [21792] pku2u
System.Net Information: 0 : [21792] CloudAP
System.Net Information: 0 : [21792] WDigest
System.Net Information: 0 : [21792] Schannel
System.Net Information: 0 : [21792] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [21792] Default TLS SSP
System.Net Information: 0 : [21792] CREDSSP
System.Net Information: 0 : [21792] SecureChannel#28372289 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [21792] SecureChannel#28372289::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Ssl3Client, Tls10Client, Tls11Client, Tls12Client), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [21792] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [21792] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = radovan, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [21792] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=163, returned code=ContinueNeeded).
System.Net Information: 0 : [21792] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 24528dc0b30:1bbff547260, targetName = radovan, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [21792] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=InvalidToken).
System.Net Error: 0 : [21792] Exception in HttpWebRequest#33675143:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [21792] Exception in HttpWebRequest#33675143::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Verbose: 0 : [21792] Entering HttpWebRequest#33675143::Abort()
System.Net Error: 0 : [21792] Exception in HttpWebRequest#33675143:: - The request was aborted: The request was canceled..
System.Net Verbose: 0 : [21792] Exiting HttpWebRequest#33675143::Abort()
thanks in advance, Radovan
Continue reading...