TLS Error when accessing a remote SOAP server

rmhallachampsc · August 27, 2016, 1:53am

.net VS 2015
RO 9.1.100.1259
I have a server that accesses a third party SOAP server over SSL/TLS.

My RO server acts as the middle man and does database logging.

I add the SOAP server using Add Service Reference and it adds fine.

I am using RODL vs code first as I imported the RO service from an older server.

I have the following settings in Program.cs

        server.AutoCreateSelfSignedCertificate = false;                        
                                                                              

        server.NetworkServer.UseTLS = false;                                
        server.NetworkServer.ServerChannel = new IpTcpServerChannel();
        server.NetworkServer.Port = 8091;

        server.NetworkServer.ServerMessages[0].Envelopes.Add(new     AesEncryptionEnvelope("MyKey"));

        server.Run(args);

My client app connects and logs in fine.

However, when my server makes a call to the SOAP service reference with a call like
response = service.RetrieveLog(bankUser, request) I get the following error:

“Could not establish secure channel for SSL/TLS with authority ‘services.commercemanager.com’.”}

This call worked in pre-code first servers.

antonk · August 27, 2016, 12:32pm

Hello

This is related to a security fix applied in the same time CodeFirst services were introduces.

From documentation:

Note: Up to and including Version 9.0, by default these channels will accept non-trusted SSL certificates. It is strongly recommended to always implement a custom certificate validation method as described. As of version 9.1, self-signed certificates will be rejected by default.

Take a look at this article: Handling Self-Signed Certificates (.NET)

F.e. you can disable the certificate validity check using code like

System.Net.ServicePointManager.ServerCertificateValidationCallback = 
                                            ServerCertificateValidationCallback;

private static bool ServerCertificateValidationCallback(object sender, 
                                                        X509Certificate certificate, 
                                                        X509Chain chain, 
                                                        SslPolicyErrors sslPolicyErrors)
{
    // Very simple certificate hash check
    return true;
}

Regards

rmhallachampsc · August 27, 2016, 4:32pm

This doesn’t solve the issue.

My server is Tcp. I can call it just fine. Within the service I have a separate Service Reference which uses an HTTPS address for the call to its SOAP server. This is where I get the “Could not establish secure channel for SSL/TLS with authority ‘services.commercemanager.com’.” error, on the call from my server to the third part SOAP server.

Thanks.

antonk · August 28, 2016, 7:44am

Ah, so it is the WCF call that fails. Please try to open the SOAP service url in browser - you should see a similar SSL error. Please read the following:
https://social.msdn.microsoft.com/Forums/azure/en-US/8d9c74ef-5e75-4f97-8a22-a6ea42c049b6/wcf-proxy-client-could-not-establish-secure-channel-for-ssltls-with-authority-xyz?forum=wcf

Hope that helps

rmhallachampsc · August 28, 2016, 5:11pm

I can open the HTTPS SOAP service url in a browser just fine.

Also, an earlier version of my server that was developed with RO 8.X also works.

I have to maintain this server and do not want to be rolling between 8 and the newer RO.

I believe something in the 9.X is stomping on the WCF connection. I do see that on start up,

server.AutoCreateSelfSignedCertificate is appearing to access the <system.serviceModel> of my app.config. Should it? This section deals strictly with my WCF SOAP calls out of the server.

The links you provide deal with using a certificate on the local system. This is a straight HTTPS call so the cert is on the SOAP server I am calling.

antonk · August 28, 2016, 10:27pm

Actual certificate check is performed on the system client app is running on.

Still RO SDK contains no code that could interfere with WCF framework. The app.config access you see is the ApplicationServer class trying to read the server configuration form the .config file.

Could you check that all RO SDK references have the Copy Local flag set to true?

If it is not and setting them to true won’t thelp than I would need a testcase to investigate the issue locally.

Regards

rmhallachampsc · August 29, 2016, 1:57am

Anton

After much wailing and gnashing of teeth, I finally found the answer.

From MSDN:

“The .NET Framework 4.6 includes a new security feature that blocks insecure cipher and hashing algorithms for connections. Applications using TLS/SSL through APIs such as HttpClient, HttpWebRequest, FTPClient, SmtpClient, SslStream, etc. and targeting .NET Framework 4.6 get the more-secure behavior by default.”

Apparently you must set the TLS/SSL you need to use. The SOAP server we are using requires TLS 1.2.

Adding this line to Main fixed the issue.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Thanks for your help over a weekend.

Mike