locked
Could not create SSL/TLS secure channel

    Întrebare

  • Hi there,

     

    I am trying to use a client certificate for a web service.  It works okay, the first time.  But, when I attempt the second time I am getting an error saying "The request was aborted: Could not create SSL/TLS secure channel."

     

    Basically, I login to the web service and get a session ID then use this ID in the following requests.  But, what happens is that when I try to connect after I got the session ID, I am getting this error.  Shoudn't that m_webService have all the cert properies set?  Why would it fail when I call logout?

     

    I see the following on trace logs.



    System.Net Error: 0 : [5040] Decrypt returned SEC_I_RENEGOTIATE.
    System.Net Information: 0 : [5040] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e8800:150c08, targetName = 10.33.63.14, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [5040] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=86, returned code=ContinueNeeded).
    System.Net Error: 0 : [5040] Exception in the HttpWebRequest#16726062:: - The request was aborted: Could not create SSL/TLS secure channel.

    Code Snippet

    class Session

    {

    private WebReference.UserFeatures m_webService;

     

    public Session(string ip, bool sslEnabled)

    {

       try

       {

    m_webService = new TestApp.WebReference.UserFeatures();

    if (sslEnabled)

    {

    string certificatePath = "cert.p12";

    string certificatePassword = "testpass";

    X509Certificate clientCertificate = new X509Certificate2(certificatePath, certificatePassword);

    m_webService.ClientCertificates.Add(clientCertificate);

    }

    System.Net.ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;

     

    string myUrl = "https://" + ip + "/UserFeatures";

    m_webService.Url = myUrl;

       }

       catch (Exception e)

       {

     

     

       }

    }

     

    public static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)

    {

    return true;

    }

     

    public string getSessionId(string user, string password)
            {
                string retValue = null;

                WebReference.LoginResult loginResult = login(user, password);
                if (loginResult.result.success)
                {
                    retValue = loginResult.session;
                }

                return retValue;
            }
    private WebReference.LoginResult login(string user, string passwd)
            {

                WebReference.login loginValue = new WebReference.login();
                loginValue.password = passwd;
                loginValue.username = user;
                WebReference.loginResponse res = new TestApp.WebReference.loginResponse();
                try
                {
                    res = m_webService.login(loginValue);
                }
                catch (Exception ex)
                {
                    m_Display.write(LogLevel_t.ERROR, "Exception caught: " + ex.Message);
                    return null;
                }

                if (res.@return.result.success)
                {
                    m_Display.write(LogLevel_t.TRACE, "Successfully logged into ME Web service");
                }
                else
                {
                    m_Display.write(LogLevel_t.ERROR, res.@return.result.errorMessage.ToString());
                }

                return res.@return;
            }
    • Mutat de ranamauroModerator 3 iunie 2008 14:29 this issue is in the networking layer and not specific to web services
    17 februarie 2008 01:14

Toate mesajele

  • Please post some context. Show us how you use this class. Also, please show the entire exception you receieve, including any InnerException, and the complete stack trace.

     

    17 februarie 2008 02:06
  • Thanks John.  I am very new to .Net so I don't know how to get the complate stack trace.  As the program is GUI based I didn't want to put the complete code.  I am going to put some context in a while.

     

     

    Code Snippet

    namespace TestApp

    {

       public partial class Tool : Form

       {

          private WebReference.UserFeatures m_WebService;

          private string m_SessionId = null;

          private Session m_SessionManager = null;

          private Display m_Display = null;

         

          public Tool()

          {

             InitializeComponent();

             m_Display = Display.GetInstance(resultOutbox);

          }

     

          private void loginButton_Click(object sender, EventArgs e)

          {

    try

    {

    m_SessionManager = new Session(ServerIPAddress.Text, sslEnabledInput.Checked);

    m_WebService = m_SessionManager.getWebService();

    m_SessionId = m_SessionManager.getSessionId(loginIdInput.Text, passwordInput.Text);

    if (m_SessionId != null)

    {

    m_Display.write(LogLevel_t.TRACE, "SessionId : " + m_SessionId);

    }

    else

    {

    m_Display.write(LogLevel_t.ERROR, "Error: Unable to obtain session ID");

     

    }

    catch (Exception ex)

    {

    m_Display.write(LogLevel_t.ERROR, "Exception caught: " + ex.Message);

    return;

    }

    }

    }

     

    private void LogoutButton_Click(object sender, EventArgs e)

    {

    try

    {

    if (IsLoggedIn())

    {

    WebReference.logout logout = new WebReference.logout();

    logout.session = m_SessionId;

    WebReference.logoutResponse res = m_WebService.logout(logout);

    if (res.@return.success)

    {

    m_Display.write(LogLevel_t.TRACE, "Successfully logout from Web Service");

    }

    else

    {

    m_Display.write(LogLevel_t.ERROR, res.@return.errorMessage.ToString());

    }

    }

    else

    {

    m_Display.write(LogLevel_t.TRACE, "Not logged in");

    }

    }

    catch (Exception ex)

    {

    m_Display.write(LogLevel_t.ERROR, "Exception caught: " + ex.Message);

    }

    }

     

     

    17 februarie 2008 02:26
  • To get the complete exception, including stack trace:

     

    Code Snippet

    try

    {

    // Execute some code

    }

    catch (Exception ex)

    {

    string message = ex.ToString();

    MessageBox.Show(message, "Exception!");

    // Or Console.WriteLine(message) or Debug.WriteLine(message), etc.

    }

     

    Yes, please don't post the entire program! Just post some code snippets showing how you use the code you previously posted. The original post gives me no clue as to what went wrong, since it doesn't show how the code was called, where the problem occurred, or what the problem actually was!

    17 februarie 2008 02:41
  • Hi,
    this is what I am getting...

    Exception caught: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
       at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at TestApp.WebReference.UserFeatures.logout(logout logout1) in C:\UserFeaturesTestTool\TestApp\Web References\WebReference\Reference.cs:line 509
       at TestApp.Tool.LogoutButton_Click(Object sender, EventArgs e) in C:\UserFeaturesTestTool\TestApp\src\UserApp.cs:line 87

    17 februarie 2008 02:51
  • The first requst to get the sessionID finishes up with the following line in the trace. Does the message in bold gives any hint?


    Code Snippet

    System.Net Verbose: 0 : [0252] 000001E0 : 6E 76 3A 45 6E 76 65 6C-6F 70 65 3E             : nv:Envelope>
    System.Net Verbose: 0 : [0252] Exiting ConnectStream#567760::Read()     -> 492#492
    System.Net Verbose: 0 : [0252] ConnectStream#567760::Read()
    System.Net Verbose: 0 : [0252] Exiting ConnectStream#567760::Read()     -> 0#0
    System.Net Verbose: 0 : [0252] ConnectStream#567760::Close()
    System.Net Verbose: 0 : [0252] Exiting ConnectStream#567760::Close()


    Then the second request begins with the following...

    System.Net Information: 0 : [0252] SecureChannel#26543418::.ctor(hostname=10.33.63.14, #clientCertificates=1)
    System.Net Information: 0 : [0252] SecureChannel#26543418 - Attempting to restart the session using the user-provided certificate:
    ....

    System.Net Error: 0 : [0252] Decrypt returned SEC_I_RENEGOTIATE.
    System.Net Information: 0 : [0252] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e55b0:13c928, targetName = 10.33.63.14, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [0252] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=86, returned code=ContinueNeeded).
    System.Net Error: 0 : [0252] Exception in the HttpWebRequest#65573909:: - The request was aborted: Could not create SSL/TLS secure channel.
    System.Net Error: 0 : [0252] Exception in the HttpWebRequest#65573909::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel.





    17 februarie 2008 03:03
  • Thanks for posting the code. I finished my earlier reply before you posted it. Here are some immediate comments:

     

    1. Please don't ever use "ex.Message" and think that you've displayed the exception. An exception may have inner exceptions, which may have inner exceptions, etc. I recognize the desire in a UI program to not expose the user to ugly exception output, but the way to do that is to not expose the users to exceptions at all! It's better to display a generic message like "a problem has occurred", and to write the details of the exception (ex.ToString()) to an event log or something like that, along with everything you know about the context in which the problem occurred. That way, you neither show the user too much information, nor show your IT staff too little.
    2. I see that your form has a reference to the web service, and that your Session class does as well. I strongly suggest that you place responsibility for the web service in one place. That will place responsibility for any bugs regarding the web service in one place.
    3. Please post the details of the user interaction. I can assume that you display the form, click Login and then Logout, but my assumption may be incorrect.
    4. I presume you tried this with sslEnabled == false? Did that succeed? Do you need to change the URL to "https" if ssl is not enabled?

     

     

    17 februarie 2008 03:05
  • Thank you for your comments.  Greatly appriciated. 
    Yes, the user clicks the login button and then clicks the loout button. 

    Just a correction.  The tool was working fine without SSL and currently I am changing it to support SSL.  It is correct that when using non-SSL I should use "http".  When I was modifying the original code I made it to "https" for the whole thing, which I should correct.  Thanks.

    17 februarie 2008 03:15
  • You probably don't want the TrustAllCertificatesCallback in the non-SSL case, either.

     

    I would suggest that you set a breakpoint before your call to Logout, and look to see if the certificate is still in the ClientCertificates collection.

     

    Another thought from someone who hasn't used SSL with web services: what happens if you use SSL, but don't use a client certificate?

    17 februarie 2008 03:23
  • >>You probably don't want the TrustAllCertificatesCallback in the non-SSL case, either.
    That is for the server certificate.  Basically, I want to accept the server cert without any checking.  That is why I just returned true in that case.

    The apache server is configured so it woul reject connections without a client certificate.  Thanks.
    17 februarie 2008 03:44
  • As a simplifying step during debugging, I'd suggest changing the Apache server to not require a client certificate. That will rule out the client certificate as being part of the problem.

     

    Also, make sure to set the breakpoint before you call Logout to make sure the ClientCertificaftes collection still contains the certificate you put there.

     

    17 februarie 2008 03:49
  • The trace log, System.Net.trace clearly shows that the client certificate is there.my doubt is that it has to do something with the SEC_I_RENEGOTIATE..


    17 februarie 2008 04:26
  • Personally, I would set the breakpoint to see what .NET thinks is there, and to make sure that the certificate hasn't changed from one call to the second.

     

    17 februarie 2008 14:44
  • Hi,

    Did you solve this problem? If you did then could you please tell me what was the reason and solution? I have same problem.

    Thanks

    18 aprilie 2008 10:10
  • Hi,

    I believe the following link would give you some ideas.

     

    http://www.kerrywong.com/2006/12/01/using-x509-certificate-with-web-service-in-aspnet/

     

    Let me know.

     

    Thanks,

    18 aprilie 2008 15:51
  • Hi,

    Thanks Ambuli for quick response. I went through the web page you pointed out.
    My problem is almost identical.
    I use BizTalk to call web service over https and i am using client certificate.
    The certificate works fine for first call but after that it does not work anymore.
    I'll send trace here in tomorrow. It is intresting that when there is second renegotiate command i get same error that you got.
    I think there could be some problems with server end too.

    Thanks

    18 aprilie 2008 16:54
  • Has anybody discovered how to fix this?

    I'm getting the same exception, but it only occurs intermittently (less than 1% of the time). I have a web service being consumed by a WinForms app written in C# 2.0.

    Just some additional info: I'm overriding the GetWebRequest method of the automatically created WebReference class, and setting the HttpWebRequest object's KeepAlive flag to false.

    Any help appreciated!

    Ash
    6 mai 2008 13:37
  • If this is still a problem for you , then I'd suggest you start a new thread. More people will see a new thread than will see a reply to an existing thread that they were not paying attention to.
    John Saunders
    2 iunie 2008 00:33
  • Hi Ambuli,

    I would like to know if you have solved this issue. I am having the exact same problem that you explained here. Sometimes, randomly I get the message:


    Could not create SSL/TLS secure channel.

    By adding a tracer to my web service I got the same SEC_I_RENEGOTIATE message you received.

    Any help would be highly appreciated.

    Thanks in advance!
    17 noiembrie 2008 20:41
  • Hi All

    I am also facing same issue on the client side. can someone please share the solution to this. Thanks in advance!

     


    Regards, Javed
    29 decembrie 2011 10:21