1

I am trying to secure a self hosted service. Calling the service returns this:
The underlying connection was closed: An unexpected error occurred on a receive.

The service endpoint looks like this

<endpoint address="https://MACHINE:8010/rest/users" binding="webHttpBinding" bindingConfiguration="certificate" contract="Online.DomainObjects.Remote.IUserManagerRemote" />

I have done this to open up access:

 netsh http add urlacl "url=https://+:8010/" user=BUILTIN\Users

I have turned WCF tracing on in the server, but get no information in the logs, so this is a client connection issue.

I have added a service behavior.

    <behavior name="certificate">
      <serviceCredentials>
        <serviceCertificate
          storeLocation="LocalMachine"
          x509FindType="FindByThumbprint"
          findValue="VALIDTHUMBPRINT" />
      </serviceCredentials>
    </behavior>

I have added a binding config.

  <webHttpBinding>
    <binding name="certificate">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </webHttpBinding>

The following code is used to call the service 

    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);    
    var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "VALIDTHUMBPRINT", false).OfType<X509Certificate2>().First();

    var request = (HttpWebRequest) WebRequest.Create("https://machine:8010/rest/users/display?key=OnlineStanlibId(1653510)");
    request.ClientCertificates.Add(certificate);
    request.Method = "GET";
    using (var reader = new StreamReader(request.GetResponse().GetResponseStream()))
        reader.ReadToEnd().Dump();

If I try and use fiddler (using the ssl decode) to examine the errors I get this.

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.1 (TLS/1.0)
    Random: 53 F3 39 10 E8 4B 5C D6 17 02 8B A0 42 CD 98 B7 37 56 3F B4 35 E6 3E B5 15 89 3B 6D E9 8F BA 19
    SessionID: empty
    Extensions: 
        renegotiation_info  00
        server_name slc11555001
        elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
        ec_point_formats    uncompressed [0x0]
    Ciphers: 
        [002F]  TLS_RSA_AES_128_SHA
        [0035]  TLS_RSA_AES_256_SHA
        [0005]  SSL_RSA_WITH_RC4_128_SHA
        ...(There are more of these)

Any suggestions on how to debug this further would be great...

The fiddler text view reveals this: HTTPS handshake to 'machine' failed. System.IO.IOException Unable to read data from the transport connection:

Seymour
  • 7,043
  • 12
  • 44
  • 51
Jim
  • 14,952
  • 15
  • 80
  • 167
  • Are you able to access the service from a browser, picking the same client certificate you are trying to use in your code? – user469104 Aug 19 '14 at 13:10

1 Answers1

1

When creating a self-hosted Windows Communication Foundation (WCF) service that uses transport security, you must also configure the port with an X.509 certificate. In order to bind the certificate to the service you need to use the `netsh add sslcert' command and supply the certificate’s thumbprint, the application/service guid and the ip/port. 

netsh http add sslcert ipport=0.0.0.0:8000 certhash=000...a5e6 appid={001-...-FEFF}

The following link provides a good reference:
http://msdn.microsoft.com/en-us/library/ms733791(v=vs.110).aspx
HTTPS from a console application?

Community
  • 1
  • 1
Seymour
  • 7,043
  • 12
  • 44
  • 51
  • `An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.` and `A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.` also indicate `add sslcert` needs to be executed. – vasek Mar 21 '20 at 00:15