I have a webservice in .net framework 4.5 that calls an endpoint with SOAP12 http requests. It was working fine without the SSL protocol, but now I need to add the SSL protocol, so make it https on a specific port. I could change the code to force TLS 1.2 and change whenever necessary to https and it works fine on my local machine and also on my remote server.
The problem is when I'm running this code on the client's server that has more security barriers like proxy, firewall and so on.
Before saying that I should search on google that many had this problem, I know that and tried everything I could find but none of them are working...
I'll replace some names for privacy and security reasons.
Port is not 443, but I'm replacing just to illustrate.
This is how I've setup everything:
App.config:
<system.serviceModel><bindings><basicHttpBinding><binding name="GetIdContosoBinding"><security mode="Transport"><transport clientCredentialType="None"></transport></security></binding><binding name="GetByIdBinding"><security mode="Transport"><transport clientCredentialType="None"></transport></security></binding></basicHttpBinding></bindings><client><endpoint address="https://api.endpoint.com:443/web/Contoso/GetById" binding="basicHttpBinding" bindingConfiguration="GetIdContosoBinding" contract="DecodeContosoId.GetIdContoso" name="GetIdContoso"/><endpoint address="https://api.endpoint.com:443/web/ContosoStatus/GetById" binding="basicHttpBinding" bindingConfiguration="GetByIdBinding" contract="GetOrderStatus.ContosoStatus" name="ContosoStatus"/></client></system.serviceModel>Service1.cs:
public void Start() { ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateServerCertificate); // my logic here}// more logicpublic static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors){ if (sslPolicyErrors == SslPolicyErrors.None) { Logger.Info(LogType.File, $"There are no SSL errors"); return true; } Logger.Error(LogType.File, $"There is an error on SSL: " + sslPolicyErrors.ToString()); return false;}The code where I make the Http call:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;Logger.Info(LogType.File, "Setting security protocol to {protocol}", ServicePointManager.SecurityProtocol.ToString());var decoder = new ContosoClient();// This is new, just trying somethingdecoder.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication(){ CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust, TrustedStoreLocation = StoreLocation.LocalMachine};var contoso = decoder.getContosoById(new contosoInput{ LANG = "it", YEAR = 2024, ID = id});return tracking;The error is the following:
2024-05-23 12:57:21.8869 logFile Info Test.BusinessLogic.Contoso.ContosoHelper - GetContoso Setting security protocol to "Tls12" 2024-05-23 12:57:22.1629 logFile Error Test.BusinessLogic.Contoso.ContosoHelper - GetContoso System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'api.endpoint.com:443'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) --- End of inner exception stack trace ---Server stack trace: at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason) at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Test.BusinessLogic.GetContosoStatus.Contoso_GetById.Contoso_id(Contoso_idRequest request) at Test.BusinessLogic.GetContosoStatus.Contoso_IdServicesClient.Test.BusinessLogic.GetContosoStatus.Contoso_IdServices.Contoso_id(Contoso_idRequest request) at Test.BusinessLogic.Contoso.ContosoHelper.GetContoso(Int64 id, String year)This is the list of things I did trying to resolve the problem.
- The first thing I though was that it could be that the webservice was trying to send a not supported version of TLS, so I forced it to be TLS 1.2 as shown in the code.
- Then it didn't worked so I checked in regedit if TLS 1.2 was enabled as well cipher and hashes. I checked using SSL labs:
![enter image description here]()
Then on my regedit looked for those and find them all. I'm calling another endpoint on this same code that works well btw and has the same TLS version and cipher suites. - I tried to add a custom callback for server certificate validation, first tried to make it return true an bypass it, but then I notice that it wasn't even logging the message on this callback. (I'm 100% sure the logging is working, in fact in my local machine it does log the message in the validation callback)
- Because it wasn't even getting into validating the certificate I decided to install the root and intermediate certificates. I've installed both and checked that they were properly installed but nothing changed.
- Nothing was working so I decided to upgrade from net framework 4.5 to 4.7.2, nothing changed.
- I tried also to log more verbose info about what's happening with the network and this is the result:
System.Net Information: 0 : [10116] Current OS installation type is 'Server'.System.Net Verbose: 0 : [10116] Entering WebRequest::Create(https://api.endpoint.com:443/web/[cut path endpoint just for privacy])System.Net Verbose: 0 : [10116] Entering HttpWebRequest#[requestId]::HttpWebRequest(https://api.endpoint.com:443/web/[cut path endpoint just for privacy]#[cut id value])System.Net Information: 0 : [10116] RAS supported: TrueSystem.Net Verbose: 0 : [10116] Exiting HttpWebRequest#[requestId]::HttpWebRequest() System.Net Verbose: 0 : [10116] Exiting WebRequest::Create() -> HttpWebRequest#[requestId]System.Net Error: 0 : [10116] Can't retrieve proxy settings for Uri 'https://api.endpoint.com:443/web/[cut path endpoint just for privacy]'. Error code: 12180.System.Net Verbose: 0 : [10116] Entering ServicePoint#51037211::ServicePoint(api.endpoint.com:443)System.Net Information: 0 : [10116] Associating HttpWebRequest#[requestId] with ServicePoint#51037211System.Net Verbose: 0 : [10116] Entering HttpWebRequest#[requestId]::GetRequestStream()System.Net Information: 0 : [10116] Associating Connection#[conn id] with HttpWebRequest#[requestId]System.Net Information: 0 : [10116] Connection#[conn id] - Created connection from [my server address] to [remote server address].System.Net Information: 0 : [10116] TlsStream#[tlsstreamid]::.ctor(host=api.endpoint.com, #certs=0, checkCertificateRevocationList=False, sslProtocols=Tls12)System.Net Information: 0 : [10116] Associating HttpWebRequest#[requestId] with ConnectStream#[streamid]System.Net Verbose: 0 : [10116] Exiting HttpWebRequest#[requestId]::GetRequestStream() -> ConnectStream#[streamid]System.Net Verbose: 0 : [10116] Entering ConnectStream#[streamid]::Write()System.Net Verbose: 0 : [10116] Data from ConnectStream#[streamid]::WriteSystem.Net Verbose: 0 : [10116] 00000000 : [CUT ENVELOPE DATA for privacy]System.Net Verbose: 0 : [10116] Exiting ConnectStream#[streamid]::Write() System.Net Verbose: 0 : [10116] Entering ConnectStream#[streamid]::Close()System.Net Verbose: 0 : [10116] Exiting ConnectStream#[streamid]::Close() System.Net Verbose: 0 : [10116] Entering HttpWebRequest#[requestId]::GetResponse()System.Net Information: 0 : [10116] HttpWebRequest#[requestId] - Request: POST /web/[cut path endpoint just for privacy] HTTP/1.1System.Net Information: 0 : [10116] ConnectStream#[streamid] - Sending headers{Content-Type: text/xml; charset=utf-8SOAPAction: "http://contoso.wsbeans.iseries/contosoIdServices/contosoidRequest"Host: api.endpoint.com:443Content-Length: 469Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive}.System.Net Information: 0 : [10116] SecureChannel#48888762::.ctor(hostname=api.endpoint.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)System.Net Information: 0 : [10116] Enumerating security packages:System.Net Information: 0 : [10116] NegotiateSystem.Net Information: 0 : [10116] NegoExtenderSystem.Net Information: 0 : [10116] KerberosSystem.Net Information: 0 : [10116] NTLMSystem.Net Information: 0 : [10116] TSSSPSystem.Net Information: 0 : [10116] pku2uSystem.Net Information: 0 : [10116] WDigestSystem.Net Information: 0 : [10116] SchannelSystem.Net Information: 0 : [10116] Microsoft Unified Security Protocol ProviderSystem.Net Information: 0 : [10116] Default TLS SSPSystem.Net Information: 0 : [10116] CREDSSPSystem.Net Information: 0 : [10116] SecureChannel#48888762 - Left with 0 client certificates to choose from.System.Net Information: 0 : [10116] SecureChannel#48888762::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Tls12Client), m_EncryptionPolicy=RequireEncryption)System.Net Information: 0 : [10116] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)System.Net Information: 0 : [10116] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = api.endpoint.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)System.Net Information: 0 : [10116] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=164, returned code=ContinueNeeded).System.Net Information: 0 : [10116] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 40f60c0:41a9628, targetName = api.endpoint.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)System.Net Information: 0 : [10116] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).System.Net Error: 0 : [10116] Exception in HttpWebRequest#[requestId]:: - The request was aborted: Could not create SSL/TLS secure channel..System.Net Error: 0 : [10116] Exception in HttpWebRequest#[requestId]::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..At the end, the same error that appears on my logs.
- When I try to send a openssl command like this:
openssl s_client -connect api.endpoint.com:443 -tls1_2
Connecting to [REDACTED]CONNECTED(000001B0)depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2verify error:num=19:self-signed certificate in certificate chainverify return:1depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2verify return:1depth=1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1verify return:1depth=0 C=IT, L=BOLOGNA, O=BRT S.P.A., CN=*.brt.itverify return:1---Certificate chain 0 s:C=IT, L=BOLOGNA, O=BRT S.P.A., CN=*.brt.it i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 26 00:00:00 2023 GMT; NotAfter: Jul 24 23:59:59 2024 GMT 1 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1 i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 2 12:23:37 2017 GMT; NotAfter: Nov 2 12:23:37 2027 GMT 2 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT---Server certificate-----BEGIN CERTIFICATE-----[CERTIFICATE CONTENT REDACTED]-----END CERTIFICATE-----subject=C=IT, L=BOLOGNA, O=BRT S.P.A., CN=*.brt.itissuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: RSA-PSSServer Temp Key: X25519, 253 bits---SSL handshake has read 4855 bytes and written 306 bytesVerification error: self-signed certificate in certificate chain---New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 4096 bitSecure Renegotiation IS supportedNo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: [REDACTED] Session-ID-ctx: Master-Key: [REDACTED] PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: [REDACTED] Start Time: [REDACTED] Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: yes---Something is not working right...
- The weird thing is that if I send a simple GET with Insomnia, without body, it works. Returns a 200 ok code.
Probably tried more things like the commented part in the code, but I really don't what's happening. My client is saying that they have opened access to this endpoint and the the proxy is also opened for the port and hostnames. If someone has an idea of what's happening I will really appreciate it