CODEWITHSUNDEEP
wcfwcf-security
Deepti
Deepti

Reputation: 35

intermittent error could not establish secure channel for ssl/tls

My WPF(desktop) application is calling two type of services - one WCF service which is hosted in our internal environment and other one is a 3rd party web service.

My application is using .Net framework 4.0. Due to some recent windows update applied on organization, my 3rd party web service stop working and I start getting this error

"System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'abc.net'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. "

In order to resolve that I had added this line before calling the 3rd party web service.

  ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

And, it start working perfectly. However, it impacted my internally hosted WCF service. I start getting the same error for my WCF service. Strange part is that, i am not getting is error every time, it occurs all of a sudden and when we restart the application, WCF service call again start working fine.

Error:

"System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'abc.net'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel."

Some of WCF service config details :

 <bindings>
      <wsHttpBinding>
        <binding maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
----
 <serviceBehaviors>
        <behavior name="WcfServerSyncService.LocalDataCacheSyncServiceBehavior">
          <serviceMetadata httpsGetEnabled="True" />
          <serviceDebug includeExceptionDetailInFaults="True" />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfServerSyncService.CustomValidator,WcfServerSyncService" />
          </serviceCredentials>
        </behavior>

 <serviceBehaviors>

And, one more thing only specific set of users are getting this error and not all. But, for these users this work sometime and sometime not.

Any suggestion ?

Upvotes: 1

Views: 1695

Answers (1)

Abraham Qian
Abraham Qian

Reputation: 7522

TLS1.2 requires the support of the OS and the SDK, therefore, I suggest you install the DotNet framework and target high version of DotNet Runtime.
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
Based on the best practice of transport layer security, we had better not specify the TLSversion while calling the WCF service protected by an SSL certificate. OS will decide on the TLS version.

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls13 | System.Net.SecurityProtocolType.Tls;

In addition, WCF server-side hosted in the WPF shall not produce a communication error, which only occurs on the client-side. The only error might be the account running WPF doesn't have permission to access the certificate. The transport layer security requires binding a certificate to the service port that is used to publish service.
At last, since the WCF server authenticates the client with custom validation, this will inevitably lead to certain errors.
Feel free to let me know if there is anything I can help with.

Upvotes: 0

Related Questions