tags:

views:

110

answers:

1
Q: 

The remote certificate is invalid according to the validation procedure.

Hi,

I'm developing a WCF service (NetTcpBinding) and it works just fine without security. We bought a certificate from DigiCert and installed it on the server and configured with DigicertUtil.exe. Also installed on the test client machines.

Turning on the security I'm able to connect to it from my dev PC without problems.

Server config:

   binding.Security.Mode = SecurityMode.Transport;
   binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
   binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;
   ServerHost.Credentials.ServiceCertificate.SetCertificate(
              StoreLocation.LocalMachine,
              StoreName.My,
              X509FindType.FindBySubjectName,
              Properties.Settings.Default.CertificateName);

Client config:

 <binding name="EndPointTCP" closeTimeout="00:01:00" openTimeout="00:01:00"
              receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false"
              hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="1610612736"
              maxReceivedMessageSize="1610612736">
              <readerQuotas maxDepth="32" maxStringContentLength="2147483647"
                maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="false" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Transport">
                <transport clientCredentialType="Certificate"  protectionLevel="EncryptAndSign"/>
              </security>
            </binding>

    <behaviors>
          <endpointBehaviors>
            <behavior name="behavior_ServerService">
              <clientCredentials>
                <clientCertificate findValue="*.domain.com"
                          storeLocation="LocalMachine"
                          storeName="My"
                          x509FindType="FindBySubjectName" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>

<client>
  <endpoint address="net.tcp://clients.domain.com:10001/Server/ServerService"
    binding="netTcpBinding" bindingConfiguration="EndPointTCP" contract="ServerServiceReference.IServerWS"
    name="EndPointTCP" behaviorConfiguration="behavior_ServerService">
    <identity>
      <dns value="*.domain.com" />
    </identity>
  </endpoint>
</client>

(I modified the domain and service name to keep privacy of the customer.)

Trying it from any other computers I receive the following error on clients:

The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9840000'.

An existing connection was forcibly closed by the remote host

The trace log on the server says:

The remote certificate is invalid according to the validation procedure.

Which is very strange because I use the same certificate on both the sever and the client... (and not to mention the dev pc from which it's working well...)

The error message is the same even if I set 

ServerHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the server and 

ServiceClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the client.

Could anybody tell me how to do it correctly? Of course I do not want to use workarounds like validation callback returning always true or the above non-validated mode.

Any help would be appreciated. Only this 'little' problem should be solved to be able to release... :(

Thanks a lot in advance!

Hudgi

A: 

It sounds like you are trying to use the same certificate as both a server and client certificate and that your clients do not have the same hostname that the certificate was issued to. Even if you set X509CertificateValidationMode.None, the hostnames must match. If your development machine was the same as the server it would most certainly succeed.

Are you intentionally trying to make clients authenticate to the server over SSL, or are you just trying to establish trust from your clients with the certificate authority?

I also suspect your certificate may not really be a wildcard certificate, if thats the case you are out of luck with using that cert for client authentication.

insipid  2010-08-11 04:21:02
Hi Insipid,How could I check if the cert is wildcard or not? In the Subject Alternative Name field I have a value simlar to this:DNS Name=clients.domain.comDNS Name=domain.comDNS Name=*.domain.comThe developer machine is my laptop and the server is another one in a VPN similary with the other test PC's. I need a way not to force the hostname be the same as the server because we want to run the clients on many machines in the world later. I added an <identity> <dns> clause to the endpoint in boththe server and the client config file. Isn't it enough? Thx.
Hudgi  2010-08-11 09:51:12
Simply changing the identity element isn't enough if you don't have the certificate to back it up. You said you have *.domain.com.. that includes myClient.domain.com, but I don't think that wildcard will support subdomains like myClient.clients.domain.com. Are your clients in a subdomain?
insipid  2010-08-11 14:18:19
We plan to allow clients to access the service all over the world, and so we can't expect them to have the same domain. We want to install the client software on a remote computer and run it as a service automatically. We just want to encryipt the communication between a client and the server because it sends sensitive data over the internet. The server's address is clients.domain.com (of course it's not the real address but shows the subdomain deepness) and we don't know the client addresses at all. Can it be done?
Hudgi  2010-08-11 15:05:36
More info - I set up a verbose System.Net trace and I get this error: Remote certificate has errors: The remote server did not provide a certificate. Remote certificate was verified as invalid by the user.
Hudgi  2010-08-11 18:06:28
Dear Insipid,Finally it seems to be working. Thank you for attending. I marked as accepted your answer.-- Hudgi
Hudgi  2010-08-14 11:56:21
Sorry for missing your last two comments, glad you got it working.
insipid  2010-08-14 17:52:06

related questions

Would you override ScriptControl or BaseValidator for an async ASP.NET validator control?
Handling HttpRequestValidationException gracefully and ASP.net AJAX compatible?
How to Dynamically Generate String Validation?
Validate email address in Javascript?
Data Validation Design Patterns
Strong Validation in WPF
How to evaluate an IP?
Validating a HUGE XML file
Validate (X)HTML in Python
ValidationRule To Enforce Unique Name
Checking if userinput is a valid URI in XUL
XML Parser Validation Report
Email SMTP validator
MVC - where to implement form validation (server-side)?
How do you remove invalid hexadecimal characters from an XML-based data source prior to constructing an XmlReader or XPathDocument that uses the data?
How to check set of files conform to a naming scheme
What's the best way to implement field validation using ASP.NET MVC?
How do I validate xml against a DTD file in Python
What's the best way to validate an XML file against an XSD file?
Problem databinding an ASP.Net AJAX toolkit MaskedEditExtender
Validating posted form data in the ASP.NET MVC framework
Best method for varchar date validation in Sybase (T-SQL)?
How important is W3C XHTML/CSS validation when finalizing work?
How far should one take e-mail address validation?
ASP .Net Custom Client-Side Validation