locked
HttpRequest class: ssl certificate recognition fails when running under IIS RRS feed

  • Question

  • Hello,
    We run a soap service app (wse 3 but also complying with WCF).
    Apart from being a service itself, the app also retrieves information from a third party using an HttpRequest instance with ssl.
    When running that HttpRequest instance with a unit test, the third party service recognizes the given certificate and it works just fine.
    However, when our soap service app is running in IIS, the third party does not recognize the certificate anymore:
    " The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
    What is different when an HttpRequest object is run under IIS? Does it change the requests I send using an HttpRequest? How can I set this straight (configuration?)?


    • Edited by cschelp Friday, March 18, 2011 10:40 AM Added error message
    Friday, March 18, 2011 9:51 AM

All replies

  • This article ("http://www.ben-morris.com/asp-net-web-services-and-ssl-certificates-establishing-a-trust-relationship") gave me an idea how to solve the problem. Asp.net checks whether a server certificate's name "CN= ..." matches the server's domain name.

    So if the external server's certificate does not comply to that rule a https request from a asp.net application will not trust the connection. So if you have no chance to change the external server's configuration (3rd party) you have to disable the check.

    It can be switched off by passing a custom delegate to asp.net's (mainly) static ServicePointManager class.

    I put that bit into a static constructor of my https connector-class: (however that check will be switched off for any https connection in the whole application)

    public class MyExternalSslServiceConnector : IMyExternalServiceConnector
    {
    protected string ServiceUrl { get; set; }
    public X509Certificate2 SslCertificate { get; set; }

    static MyExternalSslServiceConnector()
    {
       
    ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
    }

    public MyExternalSslServiceConnector(string myExternalServiceUrl, X509Certificate2 sslCertificate)
    {
       
    this.ServiceUrl = myExternalServiceUrl;
       
    this.SslCertificate = sslCertificate;
    }

    // further implementation using HttpRequest class [...]
    }

    Kind regards, C.


    Friday, March 18, 2011 4:00 PM