0

Scenario:

I've a WCF web service called SERVICEA hosted in Azure. It's uses self signed certificate for HTTPS. This SERVICEA inspect the incoming request and determines whether to call:

  1. SERVICEB OR
  2. SERVICEC

Both SERVICEB AND SERVICEC also uses self signed cert. for https.

PROBLEM:

When I deploy the SERVICEA and try to call so that it invokes SERVICEB I get the error message below:

*

Could not establish trust relationship for the SSL/TLS secure channel with authority "SERVICEB..."

*.

Note it says SERVICEB.. on error message.

Anyidea how I can resolve this issue, please?

oleksii
  • 35,458
  • 16
  • 93
  • 163
Nil Pun
  • 17,035
  • 39
  • 172
  • 294
  • could anyone please help – Nil Pun Jan 03 '12 at 05:39
  • possible duplicate of [Could not establish trust relationship for SSL/TLS secure channel -- SOAP](http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap) – jww Aug 15 '14 at 20:53

3 Answers3

2

You need to validate the server certificate if its self signed as shown below:

ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
Rajesh
  • 7,766
  • 5
  • 22
  • 35
  • Thanks @Rajesh I tried that but still did not work. Same error. – Nil Pun Jan 03 '12 at 11:20
  • @flybyte: where did you write that piece of code. That code should be in the client side i.e. inside ServiceA that calls ServiceB as ServiceA is the client for ServiceB – Rajesh Jan 03 '12 at 15:26
  • 1
    -1: Your solution disables certification validation, which is not ideal if the application handles more than the one self signed certificate. – reSPAWNed Jan 02 '14 at 13:39
  • @reSPAWNed Can you please elaborate on what you mean by application handles more than one self signed certificate? Also the question was on how to get it working when using self signed certificates. – Rajesh Jan 02 '14 at 15:35
  • @Rajesh: Your event handler always returns true, instead of inspecting the sender, certificate, chain or error parameters. This means that all certificates now appear to be valid, even if that was not the purpose. If the application accesses multiple SSL sites, then all of their certificates appear to be valid, instead of just the ones with self signed certificates. Take a look at my answer, where I have supplied a more elaborate solution. – reSPAWNed Jan 02 '14 at 16:33
  • @reSPAWNed: The above code is written in the client application and the developer should know what applications he is accessing and should also be aware that in Live environments self signed certificates are not to be used. It is upto the developer to know the security implications when writing any code – Rajesh Jan 03 '14 at 09:34
  • @Rajesh: I agree that we as programmers have a responsibility to always consider security implications when writing code. But this site is where the less experienced can ask for guidance and in that respect, I also feel that is the responsibility of the more experienced people to supply the best possible solution to a problem. And in live environments there is nothing wrong with self signed certificates, as long as they come from a source you trust. – reSPAWNed Jan 03 '14 at 10:15
0

Rajesh is onto something, but his answer disables certification checks altogether.

Instead I would suggest an event handler like the following should be added to your application:

ServicePointManager.ServerCertificateValidationCallback +=  (sender, certificate, chain, errors) =>
{
    var request = sender as HttpWebRequest;
    if (request != null && request.Address.Host == "<Your domain name goes here>")
        return true;

    return errors == SslPolicyErrors.None;
};
reSPAWNed
  • 1,089
  • 14
  • 21
0

You want to trap the ServerCertificateValidationCallback and make it ignore certificates of your choosing. Here is a decent article that explains how: http://blog.jameshiggs.com/2008/05/01/c-how-to-accept-an-invalid-ssl-certificate-programmatically/

Igorek
  • 15,716
  • 3
  • 54
  • 92
  • Hi @Igorek,thank you. Our webservice is consumed by third party vendor who uses PHP and Java. How would they achive the same? And is it security risk to ingore certificate? Or should I install Server Certificate by RDP to Azure Server? – Nil Pun Jan 03 '12 at 11:21
  • I do not know much about PHP and Java, but they would need to code a line similar to the one provided to ignore self-signed certificates. This is indeed a security risk. To do it right, would be to purchase a valid SSL cert and upload it to your Azure service. – Igorek Jan 03 '12 at 22:11
  • Thank you @Igorek, I first tried Rajesh's solution which looked short and worked. I will definitely bookmark your link. Thank you for your help, much appreciate it. – Nil Pun Jan 04 '12 at 09:20