tags:

views:

33

answers:

2
Q: 

WCF SSL certificate validation error

Trying to get the simple Hello World (via SSL) working but receiving a following error: The remote certificate is invalid according to the validation procedure.

The server App.config is:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <behaviors>
            <serviceBehaviors>
                <behavior name="mexBehavior">
                    <serviceMetadata httpGetEnabled="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <bindings>
            <wsHttpBinding>
                <binding name="SSLSecurity">
                    <security mode="Transport">
                        <transport clientCredentialType="None" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <services>
            <service behaviorConfiguration="mexBehavior" name="HelloServiceLibrary.HelloService">
                <clear />
                <endpoint address="ws" binding="wsHttpBinding" name="wsEndpoint"
                    contract="HelloServiceLibrary.IHelloService">
                    <identity>
                        <dns value="localhost" />
                    </identity>
                </endpoint>

                <endpoint address="https://localhost:443/hellossl" binding="wsHttpBinding" name="wssslEndpoint"
                    bindingConfiguration="SSLSecurity" contract="HelloServiceLibrary.IHelloService">
                  <identity>
                    <certificateReference x509FindType="FindByThumbprint" findValue="‎82a39faaeb18bf9585b334ca83264add3d5b26ee" />
                    <dns value="localhost" />
                  </identity>
                </endpoint>

                <endpoint address="mex" binding="mexHttpBinding" name="mexEndpoint"
                    contract="IMetadataExchange">
                    <identity>
                        <dns value="localhost" />
                    </identity>
                </endpoint>
                <host>
                    <baseAddresses>
                        <add baseAddress="http://localhost:8989/hello" />
                    </baseAddresses>
                </host>
            </service>
        </services>
    </system.serviceModel>
</configuration>

Please advice what am I doing wrong.

Update: the certificate is successfully deployed in Trusted Root Certification Authorities on local computer.

A: 

Add this to your WCF config and let me know the output.

 <system.diagnostics>
    <trace autoflush="true" />
        <sources>
            <source name="System.Net" maxdatasize="1024">
                <listeners>
                    <add name="MyTraceFile"/>
                </listeners>
            </source>
          <source name="System.Net.Sockets" maxdatasize="1024">
                <listeners>
                    <add name="MyTraceFile"/>
                </listeners>
            </source>  
       </sources>

        <sharedListeners>
            <add
              name="MyTraceFile"
              type="System.Diagnostics.TextWriterTraceListener"
              initializeData="System.Net.trace.log"
            />
        </sharedListeners>
        <switches>
            <add name="System.Net" value="Verbose" />
          <add name="System.Net.Sockets" value="Verbose" /> 
        </switches>
</system.diagnostics>

This is a stab in the dark.

Check to make sure you installed it to all users.

Open up MMC
Add Snap In (Certificates)
- Check Computer Account (Next)
- Choose your computer
Done

Now reinstall the cert to "Trusted Root Certification Authorities" and it will be trusted for all users.

Nix  2010-08-31 13:02:38
the MMC says that the certificate is available for:"All issuance policies. All application policies."I guess it's good for all users as well, isn't it?
BreakPhreak  2010-08-31 13:06:49
@BreakPhreak: not sure where you were reading that from but if you haven't checked out the cert snap-in, definitely do that because that is where they save to and how you should apply certs.
jlafay  2010-08-31 13:12:11
not nessessarily, issuance is for trust level , application is for what it is going to be used for email, authenticaion, etc.
Nix  2010-08-31 13:16:41
here are the screenshots - hope I am doing it right, am I?http://i37.tinypic.com/15pkbip.pnghttp://i34.tinypic.com/347xl3n.jpg
BreakPhreak  2010-08-31 13:23:20
also, added the XML diagnostics section, but couldn't find the "MyTraceFile" in the solution directory
BreakPhreak  2010-08-31 14:05:42
should be in your root directory file named System.Net.trace.log
Nix  2010-08-31 14:33:12
A: 

Not sure if this may help you but I looked back at how I had my app.config set for a simple secure service I wrote a few weeks ago where I was using certs. Here are a few considerations you may need to make to properly config your config for the service:

<bindings>
    <wsHttpBinding>
        ...
        <security>
            <transport clientCredentialType="Certificate"  />
        </security>
    </wsHttpBinding>
</bindings>

Now in my config I have an endpoint behavior defined which provides metadata to tell the service what the client will be using for a cert on its side:

    <behaviors>
        <endpointBehaviors>
            <behavior name="ClientBehavior">
                        <clientCredentials>
                            <clientCertificate findValue="WcfClient" storeLocation="LocalMachine" storeName="My"
                 x509FindType="FindBySubjectName"/>
                            <serviceCertificate>
                                <authentication certificateValidationMode="PeerTrust" />
                            </serviceCertificate>
                        </clientCredentials>
                    </behavior>
        </endpointBehaviors>
    </behaviors>
jlafay  2010-08-31 13:47:02
you are doing find by subject, he is doing Thumbprint.
Nix  2010-08-31 13:48:04
actually, what I do need is a "simple" thing: I need a secure communication between a client and a server (WCF), even without the chain of trust. Just create the *.cer file, make the server aware of it and that's it. Client needs not to be certified/validated. maybe I need some other thing to try?
BreakPhreak  2010-08-31 13:53:58
PS: thanks a lot for your comments, gentlemen
BreakPhreak  2010-08-31 13:54:28

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability