Could not establish secure channel for SSL/TLS with authority ''


  • Hi,

    I have an ActiveX that call a https webservice using WCF and passing his certificate. The ActiveX works perfectly in 5 customers and 1 is causing this error:

    Could not establish secure channel for SSL/TLS with authority ''.  (
    Server stack trace: 
       at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at MyNamespace.nfse.GerarNfse(GerarNfseRequest request)
       at MyNamespace.nfseClient.VNFSEPrefeitura.nfse.GerarNfse(GerarNfseRequest request)
       at MyNamespace.nfseClient.GerarNfse(String nfseCabecMsg, String nfseDadosMsg)
       at MyNamespace.MyClass.EnviarRequisicao(String xmlCabecalho, String xmlNotas, TipoServico servico, String url))

    I don't know why I'm getting this error, I disable the CheckCertificateRevocationList and my ServerCertificateValidationCallback always return true. The code I make to make my WCF requests:

        System.Net.ServicePointManager.CheckCertificateRevocationList = false;
                System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate
                { return true; };

                System.ServiceModel.BasicHttpBinding binding = new System.ServiceModel.BasicHttpBinding(System.ServiceModel.BasicHttpSecurityMode.Transport);
                binding.Security.Transport.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Certificate;
                binding.ReceiveTimeout = TimeSpan.FromMinutes(5);
                binding.MaxReceivedMessageSize = 2147483647;
                if (binding.ReaderQuotas == null)
                    binding.ReaderQuotas = new XmlDictionaryReaderQuotas();
                binding.ReaderQuotas.MaxStringContentLength = 2147483647;
                binding.ReaderQuotas.MaxArrayLength = 2147483647;
                binding.ReaderQuotas.MaxBytesPerRead = 2147483647;

                System.ServiceModel.EndpointAddress endpoint = new System.ServiceModel.EndpointAddress(url);

                string xmlWS = string.Empty;
                using (nfseClient cliente = new nfseClient(binding, endpoint))
                       xmlWS = cliente.MyWebServiceMethod(param1, param2);                
    catch (Exception e)

    As I say, this code works perfectly in 5customers, only this one is causing this error.
    I've seen this error before, however, the user who was giving this problem no longer uses the system then we do not investigate.

    I hope someone can give some suggestions or some help.

    Thank you!

    Best regards

    -- Christophe Trevisani Chavey
    • Edited by ChristopheBHMG Friday, January 07, 2011 12:46 AM bold in explanation
    Thursday, January 06, 2011 8:59 PM

All replies

  • the servcer certificate is not trusted according to the client machine policy.

    for example the server certificate was issued by a company that the client IT decided not to trust = not to have its certificate in their "trusted root" certificate store.

    actually you can disable the validation - or better override it with your own custom logic since disabling might put risk.

    here is how to totally disable:

    more details -

    using System.Net;
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(OnValidationCallback); 
    public static bool OnValidationCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
    return true;
    WCF Security, Interoperability And Performance Blog
    Thursday, January 06, 2011 9:24 PM
  • hi

    thanks for the fast reply, but i already did that like the code i pasted.

    work for every customer except one that throw this exception. i need to resolve this problem urgent :-/

    -- Christophe Trevisani Chavey
    Friday, January 07, 2011 12:36 AM
  • try to add it explicitly as in my code and check if this line is called - both in working and non working case. e.g. put logging there.
    WCF Security, Interoperability And Performance Blog
    Friday, January 07, 2011 7:41 AM