How client get service security SSL?

Question

I have a service class:

namespace TestService
{
    public class Service:IService 
    {
        #region IService Members

        public string TestCall()
        {
            return "You just called a WCF webservice On SSL(Transport Layer Security)";
        }

        #endregion
    }
}

and config service:

<configuration>
    <system.serviceModel>
        <services>
            <service behaviorConfiguration="returnFaults" name="TestService.Service">
                <endpoint binding="wsHttpBinding" bindingConfiguration="TransportSecurity" contract="TestService.IService"/>
                <endpoint address="mex" binding="mexHttpsBinding" name="MetadataBinding" contract="IMetadataExchange"/>
            </service>
        </services>
        <behaviors>
            <serviceBehaviors>
                <behavior name="returnFaults">
                    <serviceDebug includeExceptionDetailInFaults="true"/>
                    <serviceMetadata httpsGetEnabled="true"/>
                    <serviceTimeouts/>
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <bindings>
            <wsHttpBinding>
                <binding name="TransportSecurity">
                    <security mode="Transport">
                        <transport clientCredentialType="None"/>
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <diagnostics>
            <messageLogging logEntireMessage="true" maxMessagesToLog="300" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true"/>
        </diagnostics>
    </system.serviceModel>
</configuration>

i set up service to IIS and set http, https for service at https: "https://localhost/service.svc" and http: "http://localhost/service.svc" when set up https i have set Certificate "WCFServer". and i can access service at address "https://localhost/service.svc". I have add Service References at address "https://localhost/service.svc" and call service:

   ServiceReference1.ServiceClient proxy = new ServiceReference1.ServiceClient();
            proxy.TestCall();

it return error:

The remote certificate is invalid according to the validation procedure.

this config client:

<configuration>


  <system.web>
    <compilation debug="true" targetFramework="4.0" />


  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IService">
          <security mode="Transport">
            <transport clientCredentialType="None" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://thanguk-pc/service.svc" binding="wsHttpBinding" behaviorConfiguration="firstSsl"
        bindingConfiguration="WSHttpBinding_IService" contract="ServiceReference1.IService"
        name="WSHttpBinding_IService" >
        <identity>
          <dns value="WcfServer" />
        </identity>
      </endpoint>
    </client>
    <behaviors>
      <endpointBehaviors>
        <behavior name="firstSsl">
          <clientCredentials>
            <serviceCertificate>
              <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

what is problem when client use service? thanks

Answer 1

The WCF config looks good to me. So, I would start to look towards your certificate, certificate installation and hostname (as pointed out by @flem). Who issued the certificate? Sounds like it might be self-signed. A self-signed certificate will not be trusted on the client during the SSL handshake. You can run netmon on the server (turning on a filter for TLS) and see the SSL handshake. This might give you insight to where the failure is occurring.

One tip is that for your service to work, you should be able to browse the metadata (.svc) over https from the client without any browser certificate errors (So, a green lock on chrome for example). If the browser goes green, then usually the certificate is installed and configured correctly. Otherwise, WCF will reject it also (but not give you the option to continue).