Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

Question

for firebase notification code

WebRequest tRequest = WebRequest.Create("https://fcm.googleapis.com/fcm/send"); 
tRequest.Method = "post";
tRequest.ContentType = "application/json";
var data = new{collapse_key = "unassigned", to = deviceToken,data = new
  {body = message,title = title,sound = "default"}
};

message to pass for notifaction on mobile

var serializer = new JavaScriptSerializer();
var json = serializer.Serialize(data);
Byte[] byteArray = Encoding.UTF8.GetBytes(json);
tRequest.Headers.Add(string.Format("Authorization: key={0}", applicationId));
tRequest.Headers.Add(string.Format("Sender: id={0}", senderId));
tRequest.ContentLength = byteArray.Length;

error occur here below code

using (Stream dataStream = tRequest.GetRequestStream())
{ 
  dataStream.Write(byteArray, 0, byteArray.Length);
 using (WebResponse tResponse = tRequest.GetResponse())
  { 
    using (Stream dataStreamResponse = tResponse.GetResponseStream())
    { 

   //code 1
    }     
  }   
}

**code 1 here** using(StreamReader tReader = new StreamReader(dataStreamResponse)) { String sResponseFromServer = tReader.ReadToEnd(); string str = sResponseFromServer; } — Bhhruguni, Jan 07 '17 at 10:04
this code is working properly on locally but not workinf on the server. — Bhhruguni, Jan 07 '17 at 10:05
after hosting web service on the server not woking notification......pls help me .thank you in advance. — Bhhruguni, Jan 07 '17 at 10:08

Pablo Recalde · Accepted Answer · 2020-02-11T20:20:43.230

14

The exception in the title says that you are connecting to an endpoint with TLS encryption, and the certificate exposed by that endpoint is not trusted by you. This means that is not signed with a certificate that you have in your CA (Certificate Authority) Store. Like a self-signed certificate.

If the certificate is self signed, you can add it to your CA Store. If not, you can try to navigate the endpoint with your browser, and look for a copy of the certificate that the endpoint is presenting, to manually trust it. (Beware that by doing this if the endpoint has been already compromised you're manually trusting its certificate.)

You can also avoid this check by adding a custom certificate validation handler that always returns valid! (true). But, please be aware that doing this will expose you to man-in-the-middle attacks, as you'll loose the ability to check the endpoints authenticity.

ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

edited Feb 11 '20 at 20:20

answered Jan 07 '17 at 11:02

Pablo Recalde

3,334
1
22
47

1

can you explain in detail for understanding. – Bhhruguni Jan 09 '17 at 10:37
@bhruguni follow this link https://www.google.es/url?url=https://blog.talpor.com/2015/07/ssltls-certificates-beginners-tutorial/&rct=j&sa=U&ved=0ahUKEwjV0rbV_7TRAhVEOxoKHRY_AacQFggiMAI&q=understanding+tls+certificates&usg=AFQjCNHV1A5mK5zgFbEwpmriVEIel55C2w for additional info about TLS certificates – Pablo Recalde Jan 09 '17 at 11:53
any other option....error occur when calling webservice from server.but when i executing from local machine it works fine. – Bhhruguni Jan 18 '17 at 06:10
I suppose that you have a certificate installed in your local machine that "validates" the certificate exposed by the endpoint, but your server doesn't. Also the certificate stores vary if you're launching your application as a local system service, instead of console application or similar. – Pablo Recalde Jan 18 '17 at 06:55

score 1 · Answer 2 · edited Feb 28 '18 at 21:39

1

I don't why using this line of code stated above

ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

i could not made it work

So but using it this way worked properly:

internal static bool ValidateServerCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    return true;
}
ServicePointManager.ServerCertificateValidationCallback  = ValidateServerCertificate;

edited Feb 28 '18 at 21:39

Eray Balkanli

7,752
11
48
82

answered Feb 28 '18 at 21:31

Carlos Mejia

11
1

Probably the version of c# you're using doesn't support eventhandlers in lambda form, that's why. – Pablo Recalde May 17 '19 at 10:21

score 1 · Answer 3 · answered Dec 02 '19 at 20:53

The calling web and API site should have same SSL certificate I use “IIS Express Development Certificate”
Export your certificate to local file Export Certificate
Import your certificate to “Trusted Root Certification Authorities” folder in “ConsoleCertificate”

Import it into trust root

score -1 · Answer 4 · edited Sep 24 '18 at 22:36

-1

This worked for me.

ServicePointManager
  .ServerCertificateValidationCallback += 
  (sender, cert, chain, sslPolicyErrors) => true;

I tested it several times with and without. Definitely took care of the problem.

edited Sep 24 '18 at 22:36

SnareChops

13,175
9
69
91

answered Sep 24 '18 at 22:17

Bill Pothen

1
1

1

It does not “take care” of the problem, it hides the problem away and makes you application vulnerable – Pablo Recalde Jan 24 '20 at 12:59
Luckily I was able to move away from the code that this fix was needed. – Bill Pothen Jan 25 '20 at 18:01

Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

4 Answers4

Linked