0

Trying to get the simple Hello World (via SSL) working but receiving a following error: The remote certificate is invalid according to the validation procedure.

The server App.config is:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <behaviors>
            <serviceBehaviors>
                <behavior name="mexBehavior">
                    <serviceMetadata httpGetEnabled="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <bindings>
            <wsHttpBinding>
                <binding name="SSLSecurity">
                    <security mode="Transport">
                        <transport clientCredentialType="None" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <services>
            <service behaviorConfiguration="mexBehavior" name="HelloServiceLibrary.HelloService">
                <clear />
                <endpoint address="ws" binding="wsHttpBinding" name="wsEndpoint"
                    contract="HelloServiceLibrary.IHelloService">
                    <identity>
                        <dns value="localhost" />
                    </identity>
                </endpoint>

                <endpoint address="https://localhost:443/hellossl" binding="wsHttpBinding" name="wssslEndpoint"
                    bindingConfiguration="SSLSecurity" contract="HelloServiceLibrary.IHelloService">
                  <identity>
                    <certificateReference x509FindType="FindByThumbprint" findValue="‎82a39faaeb18bf9585b334ca83264add3d5b26ee" />
                    <dns value="localhost" />
                  </identity>
                </endpoint>

                <endpoint address="mex" binding="mexHttpBinding" name="mexEndpoint"
                    contract="IMetadataExchange">
                    <identity>
                        <dns value="localhost" />
                    </identity>
                </endpoint>
                <host>
                    <baseAddresses>
                        <add baseAddress="http://localhost:8989/hello" />
                    </baseAddresses>
                </host>
            </service>
        </services>
    </system.serviceModel>
</configuration>

Please advice what am I doing wrong.

Update: the certificate is successfully deployed in Trusted Root Certification Authorities on local computer.

BreakPhreak
  • 10,940
  • 26
  • 72
  • 108
  • Did you create your own certs with makecert.exe? Where are the certs stored on your machine? – Jeff LaFay Aug 31 '10 at 12:55
  • This could be a couple things and the most useful thing to do is to turn on tracing and post the output to your question. http://blogs.msdn.com/b/dgorti/archive/2005/09/18/471003.aspx – Nix Aug 31 '10 at 12:59

3 Answers3

1

Add this to your WCF config and let me know the output.

 <system.diagnostics>
    <trace autoflush="true" />
        <sources>
            <source name="System.Net" maxdatasize="1024">
                <listeners>
                    <add name="MyTraceFile"/>
                </listeners>
            </source>
          <source name="System.Net.Sockets" maxdatasize="1024">
                <listeners>
                    <add name="MyTraceFile"/>
                </listeners>
            </source>  
       </sources>

        <sharedListeners>
            <add
              name="MyTraceFile"
              type="System.Diagnostics.TextWriterTraceListener"
              initializeData="System.Net.trace.log"
            />
        </sharedListeners>
        <switches>
            <add name="System.Net" value="Verbose" />
          <add name="System.Net.Sockets" value="Verbose" /> 
        </switches>
</system.diagnostics>

This is a stab in the dark.

Check to make sure you installed it to all users.

Open up MMC
Add Snap In (Certificates)
- Check Computer Account (Next)
- Choose your computer
Done

Now reinstall the cert to "Trusted Root Certification Authorities" and it will be trusted for all users.

Nix
  • 57,072
  • 29
  • 149
  • 198
  • the MMC says that the certificate is available for: "All issuance policies. All application policies." I guess it's good for all users as well, isn't it? – BreakPhreak Aug 31 '10 at 13:06
  • @BreakPhreak: not sure where you were reading that from but if you haven't checked out the cert snap-in, definitely do that because that is where they save to and how you should apply certs. – Jeff LaFay Aug 31 '10 at 13:12
  • not nessessarily, issuance is for trust level , application is for what it is going to be used for email, authenticaion, etc. – Nix Aug 31 '10 at 13:16
  • here are the screenshots - hope I am doing it right, am I? http://i37.tinypic.com/15pkbip.png http://i34.tinypic.com/347xl3n.jpg – BreakPhreak Aug 31 '10 at 13:23
  • also, added the XML diagnostics section, but couldn't find the "MyTraceFile" in the solution directory – BreakPhreak Aug 31 '10 at 14:05
  • should be in your root directory file named System.Net.trace.log – Nix Aug 31 '10 at 14:33
0

Not sure if this may help you but I looked back at how I had my app.config set for a simple secure service I wrote a few weeks ago where I was using certs. Here are a few considerations you may need to make to properly config your config for the service:

<bindings>
    <wsHttpBinding>
        ...
        <security>
            <transport clientCredentialType="Certificate"  />
        </security>
    </wsHttpBinding>
</bindings>

Now in my config I have an endpoint behavior defined which provides metadata to tell the service what the client will be using for a cert on its side:

    <behaviors>
        <endpointBehaviors>
            <behavior name="ClientBehavior">
                        <clientCredentials>
                            <clientCertificate findValue="WcfClient" storeLocation="LocalMachine" storeName="My"
                 x509FindType="FindBySubjectName"/>
                            <serviceCertificate>
                                <authentication certificateValidationMode="PeerTrust" />
                            </serviceCertificate>
                        </clientCredentials>
                    </behavior>
        </endpointBehaviors>
    </behaviors>
Jeff LaFay
  • 12,882
  • 13
  • 71
  • 101
  • you are doing find by subject, he is doing Thumbprint. – Nix Aug 31 '10 at 13:48
  • actually, what I do need is a "simple" thing: I need a secure communication between a client and a server (WCF), even without the chain of trust. Just create the *.cer file, make the server aware of it and that's it. Client needs not to be certified/validated. maybe I need some other thing to try? – BreakPhreak Aug 31 '10 at 13:53
0

If all you need is a secure link, i.e. encryption only, no client authentication, then you don't need to set any client credentials. This is all you should have to do:
1. configure IIS to use SSL
2. configure an HTTPS endpoint on your service
3. configure the client to use the above endpoint

That's it. If your certificate is invalid, you might have to do your custom certificate validation as described here: MSDN.

Good luck!

Fabio
  • 730
  • 3
  • 10