0

Writing a web service client in C#/WCF and can't get the channel to authenticate. This is the error message that I get when I try to execute an API call:

"Could not establish secure channel for SSL/TLS with authority 'www.redacted.com'."

And the config file:

    <behaviors>
        <endpointBehaviors>
            <behavior name="NewBehavior0">
                <clientCredentials>
                    <clientCertificate findValue="th um bp ri nt va lu e  go es he re"
                        x509FindType="FindByThumbprint" />
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <basicHttpBinding>
            <binding name="WsApiServiceSoapBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
                <security mode="Transport">
                    <transport clientCredentialType="None" proxyCredentialType="None" realm=""/>
                    <message clientCredentialType="UserName" algorithmSuite="Default"/>
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://www.<redacted>.com/services/WsApiService/"
            behaviorConfiguration="NewBehavior0" binding="basicHttpBinding"
            bindingConfiguration="WsApiServiceSoapBinding" contract="WsApiServicePortType"
            name="WsApiServicePort" />
    </client>

The only thing I'm doing in the client code is executing a call to the getDoc method. The proxy class is auto-generated from a WSDL under WCF. I've verified that the certificate is installed in the Personal category in certmgr, is not expired, and is intended for all purposes. (I should note that this same cert worked just fine under WSE.) I've searched around and can't find anything that contradicts how it's currently configured.

Any ideas? If you need to see some more code let me know and I'll post it ASAP.

Ant
  • 545
  • 1
  • 9
  • 26
  • Is the service certificate self signed? – dna Jun 13 '13 at 15:10
  • It is. It was issued and signed by the third-party web service. – Ant Jun 13 '13 at 15:32
  • Then have a look at this question : http://stackoverflow.com/questions/1742938/wcf-could-not-establish-trust-relationship-for-the-ssl-tls-secure-channel-with – dna Jun 13 '13 at 15:35
  • I'm not sure that there's anything relevant to my issue in that one. - The error message is different. Mine is not a trust issue. - I've tried everything in there already except for negating the server certificate validation. That particular approach is not an option anyway. I'm going to see if there's some way I can coerce my client into disclosing which certificate it's using. Maybe digging in that direction will reveal something. – Ant Jun 14 '13 at 13:02
  • Well how are you going to verify your self signed certificate? In every scenario you will have to blindly trust it. I would advise you to at least try the verification callback thing. At least you will be able to reject this hypothesis :) – dna Jun 14 '13 at 13:48
  • I was thinking, are you sure the certificate is self signed? Might it have been signed by the issuer CA? – dna Jun 14 '13 at 13:51
  • @dna Okay, I tried everything in that link and still no go. As far as self-signed or CA, I honestly couldn't say for certain. I *think* it's self-signed but I don't know how to tell otherwise except for what I've found through googling "Self-signed vs. CA". I mentioned in the OP that I used the same cert (albeit linking directly to the file) when trying to set up the client using WSE, and I never had any trouble with authentication. That said, certificates in WSE--at least the way I added it--are handled differently than WCF. Any ideas on how I should set it up with that background? – Ant Jun 14 '13 at 16:25

1 Answers1

0

Well, after digging a bit deeper, I found out that I was using the wrong thumbprint . The one I was using belonged to a cert from the same issuer but for a different endpoint (not sure how I got them mixed up). Now that I have the right certificate being used, I can establish SSL.

Now I just have to figure out why this MTOM service is surprised at my MTOM request :P

Ant
  • 545
  • 1
  • 9
  • 26