SSL/TLS exception when using HttpWebRequest with client certificate

Hot Topic

New Rows do not appear in SQL database
Web Services .net framework 2 over SSL
My Typed Dataset is Serializable, a single Row isn't?
Capture Mouse
Store another files inside a EXE file
RegSvr32
representing XmlElement
Help : "error: 40 - Could not open a connection to SQL Server"
Calling a WebReference operation name the same as the Web service name
Security Errors running program on a share

.NET Development

Using crypto api (NET app/win32 app)
How can I know that a driver is unavailable?
Is it possible to change the namespace of parts of a wse3wsdl.exe generated proxy?
Can MailClient.Send use HELO
How to get key, value by sequence
Calling C# Component from ASP file
SOA code example
Windows.Forms.Datagrid
Remoting Object reference not set to an instance of an object.
sealed classes

SSL/TLS exception when using HttpWebRequest with client certificate

Hi,

I wrote following code to call a aspx page in code (from another aspx page):

HttpWebRequest httprq = (HttpWebRequest)HttpWebRequest.Create(uri);

string certificateName = "SoapProxy2";
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindBySubjectName, certificateName, true);
X509Certificate certificate = certificates[0];
httprq.ClientCertificates.Add(certificate);

httprq.Method = "POST";
httprq.ContentType = "text/xml; charset=utf-8";
httprq.ContentLength = 0;

HttpWebResponse httprp = (HttpWebResponse)httprq.GetResponse();

When I run this I get the exception: 'The request was aborted: Could not create SSL/TLS secure channel.'.

The client and ssl certificates are perfectly valid (It works when I call the page in my browser).

How to solve this

Thanks.




Answer this question

SSL/TLS exception when using HttpWebRequest with client certificate

  • Aleksandra

    Ah-hah, so they are enabled by default. I wasn't clear on that.

    I disabled all but SSL3, and same problem. And then I disabled all but TLS1 with the same problem. I know that I'm setting things in the right place because when I disabled SSL my browser wouldn't access HTTPS.

    Is there a log entry that would give me better information on this error I loaded Network Monitor, but I couldn't find anything useful in the dump. Perhaps there's a different tool I could use to track this down


  • MartinHains

    Hello again,

    This is the last part om my trace where things go wrong:

    System.Net Information: 0 : [4064] SecureChannel#49205706 - Left with 1 client certificates to choose from.
    System.Net Information: 0 : [4064] SecureChannel#49205706 - Trying to find a matching certificate in the certificate store.
    System.Net Information: 0 : [4064] SecureChannel#49205706 - Locating the private key for the certificate: [Version]
    V3

    [Subject]
    CN=SoapProxy2 Test Client Cert, OU=IT, O=Sodexho Pass Belgium, L=Brussels, S=Brussels, C=BE, E=mls@sodexho-pass.be
    Simple Name: SoapProxy2 Test Client Cert
    Email Name: mls@sodexho-pass.be
    DNS Name: SoapProxy2 Test Client Cert

    [Issuer]
    CN=espi_web_dev1, OU=IT, O=Sodexho Pass Belgium, L=Brussels, S=Brussels, C=BE, E=ody@sodexho-pass.be
    Simple Name: espi_web_dev1
    Email Name: ody@sodexho-pass.be
    DNS Name: espi_web_dev1

    [Serial Number]
    146E9654000000000004

    [Not Before]
    20/01/2006 11:55:29

    [Not After]
    20/01/2007 12:05:29

    [Thumbprint]
    69B4F584FACA79B7CED6A14EB45F7AB2BFBC580A

    [Signature Algorithm]
    sha1RSA(1.2.840.113549.1.1.5)

    [Public Key]
    Algorithm: RSA
    Length: 2048
    Key Blob: 30 82 01 0a 02 82 01 01 00 eb 3a e0 75 13 3c a6 b0 ae bf 03 b5 72 61 6e b6 22 24 ae cc 13 ad 53 bb 59 b5 17 ee 6d a8 3a 80 c7 b9 89 42 df e7 9b 49 63 51 40 a5 d4 2c 1b 1c 62 64 5a d0 58 7f 54 82 a1 ac b2 84 67 21 c7 37 ba 88 f9 89 cf 9c 00 25 af....
    System.Net Information: 0 : [4064] SecureChannel#49205706 - Certificate is of type X509Certificate2 and contains the private key.
    System.Net Information: 0 : [4064] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
    System.Net Error: 0 : [4064] AcquireCredentialsHandle() failed with error 0X8009030D.
    System.Net Information: 0 : [4064] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
    System.Net Error: 0 : [4064] AcquireCredentialsHandle() failed with error 0X8009030D.
    System.Net.Sockets Verbose: 0 : [0764] Socket#8628710::Dispose()
    System.Net Error: 0 : [0764] Exception in the HttpWebRequest#53036123:: - The request was aborted: Could not create SSL/TLS secure channel.
    System.Net Error: 0 : [0764] Exception in the HttpWebRequest#53036123::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel.

    Does it have something to do with the private key of my client cert
    It is marked as not exportable, could that have anything to do wit it



  • paul_at_foobar_nu

    The CertificatePolicy returned SSPI code 0x00000000, which
    is status OK I suppose, although it wasn't in the enum list.

    The code I put on the forum is just a fragment of the code I
    use, the full code actually does send a request stream.

    greetz, James



  • Eric Hainey

    http://blogs.msdn.com/dgorti/

    I can reach fine

    Also the Client certs are not send until the SSL connection is really negotiated



  • hurf0rd

    You're right. I was confusing that with "Could not establish trust relationship with remote server".

  • Roberta Ezar

    Brian,

    Your C# code looks OK (although I'd recommend using C#'s using block to safely close request and response streams).

    I wonder if this could be an unsupported setup. Can you configure the server side to run only SSL3 or TLS1 and try again


  • gangxter

    Doubt it. I connect to other sites using SSL without any problem. We do have a new DMZ, so perhaps I can check there. The strange thing is that it works and connects when I use the XmlHttp COM object and I run it under the ASP.NET Development Server that is invoked from Visual Studio 2005. It does not work when I use those same bits running under IIS5 on my Windows XP Professional development box. Neither configuration works when I use the HttpWebRequest object.

    Do you know of any tools or monitors or loggers that I can use to get a more specific error description In the meantime, I'll check with the DMZ folks.

  • mmichtch

    Hm... I'm not sure if this is a possible cause based on the error message you receive, but can we rule out any infrastructure issues like failing to connect through a proxy

  • DaveMPlano

    Note that these entries are meant to disable those protocols. All my recent XP (SP2) and 2003 (SP1/R2) installations did not have any of those protocols disabled. Also, if they had been disabled before, even a browser would have failed to connect.

  • Harvey Roth

    I'm having the same problem. I originally was using the WinHttp object. When I run this in VisualStudio 2005 using the "File" mode (with the built-in mini IIS server), it finds the certificate and connects to the site.

    WinHttp.WinHttpRequest oWinHttp = new WinHttp.WinHttpRequest();
    oWinHttp.Open("POST", strPostUrl, false);
    oWinHttp.SetRequestHeader(    "Content-Type", "application/x-ofx");
    oWinHttp.SetClientCertificate(strPostCert);
    oWinHttp.Send(sb.ToString());

    However, if I run it under IIS, I get a "Client Certificate Required" error. That tells me something is wrong with permissions. I've installed the certificate as the ASPNET user and again as IWAM_machinename, all to no avail.

    So I tried a method similar to James Henderson's. I got rid of the WinHttp object and tried it the .NET way, with the WebRequest object. I got the same error message baout SSL/TLS. I had a hard time loading the Network Monitor, as it is not included in Windows XP. It doesn't tell me anything I can use, however.

    Here's the code:

    webRequest = (HttpWebRequest)HttpWebRequest.Create(strPostUrl);
    webRequest.ClientCertificates.Clear();
    webRequest.ClientCertificates.Add(x509);
    webRequest.Method =     "POST";
    webRequest.ContentType =     "application/x-ofx";
    webRequest.ContentLength = byteRequest.Length;
    Stream dataStream = webRequest.GetRequestStream();
    dataStream.Write(byteRequest, 0, byteRequest.Length);
    dataStream.Close();
    webResponse = webRequest.GetResponse();

    This gives the error when calling GetRequestStream():

    The request was aborted: Could not create SSL/TLS secure channel

    James, were you able to solve your problem Jorg, Durgaprasad, any ideas

    Thanks!
    Brian.

  • iiSikunj


    I wasn't able to reach your weblog.

    Still it is strange that it would have nothing to do with the client certificate, because when I send the request over SSL without the client certificate it works fine (accept certificate instead of require certificate in IIS).

    My server certificate is thrusted when I check it in IIS.



  • GWILSON1981

    The fact that your browser doesn't complain about the certificate doesn't mean it's valid -- thr browser could be configured to accept that certificate without further complaints.

    For test purposes, you can implement a System.Net.ICertificatePolicy that accepts any certificate and logs all problems found for a given certificate. Try this sample, but make it return true instead of false.

    Out of curiosity: Why do you use POST at all Your code doesn't send any data other than HTTP headers. GET should work.

  • Ford McKinstry

    Joerg, thanks for the hint. I enabled only the client and server for SSL3 using your suggestion (http://support.microsoft.com/kb/187498/en-us). Strange, but on my machine, none of the protocols was enabled at HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols. Is that appropriate

    I'm still getting the same error. Any other suggestions

    Thanks!
    Brian.

  • DankS

    Could not establish SSL means that you are not able to even get theSSL withthe server. The client certs are not coming into picture here.
    First

    1) Get a system.net trace. Instructions are in one of my postings at http://bolgs.msdn.com/dgorti. This will be very valuable in debugging.

    2) Next make sure that the server certificate is valid. The trace log file should
    tell you all about it.

    3) Make sure that the issuer is trusted.



  • SSL/TLS exception when using HttpWebRequest with client certificate
Answer this question