none
SSL for Tcp - turning off certificate Revoke check on client? RRS feed

  • Question

  •  

    I setting up a Server certificate for tcp transport security that I generated myself using makecert. However, since I generated the certificate myself, the client bombs because it cannot make the certificate revocation check (even though it is a "valid" certificate with a valid root authority). Is there an easy way to turn the revocation check off temporarily on the client? I've seen examples on how to do this on the server and for HTTP, but can't find a way to get it to not check for my tcp binding.

     

    My client binding code looks like so:

     

    NetTcpBinding tcpBinding = new NetTcpBinding();

    tcpBinding.TransactionFlow = false;

    tcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;

    tcpBinding.Security.Mode = SecurityMode.Transport;

    tcpBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None;

     

     

    The error I get on the client is: The X.509 certificate CN=TestWCF chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

     

    I've also tried using the

    ServicePointManager.ServerCertificateValidationCallback +=

    feature but my event handler never gets called under tcp.

     

    Ideas?

     

    Thanks!

     

    Boz
    Friday, August 3, 2007 5:34 PM

Answers

  • You can disable the revocation check via following:

     

    Server side:

       service.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

    Client side:

       factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

     

    Hope this helps.

     

    Thanks,

    Sara

    Thursday, August 9, 2007 11:21 AM

All replies

  • You can disable the revocation check via following:

     

    Server side:

       service.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

    Client side:

       factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

     

    Hope this helps.

     

    Thanks,

    Sara

    Thursday, August 9, 2007 11:21 AM
  • Thank you very much for the reply Sara.

     

    I was not creating the factory object, just the channel and that was why I couldn't find the Credentials.

     

    Before:

     

    IMyApi proxy = ChannelFactory<IMyApi>.CreateChannel(tcpBinding, endpointAddress);

     

    After:

     

    ChannelFactory<IMyApi> factory = new ChannelFactory<IMyApi>(tcpBinding, endpointAddress);

    factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

    IMyApi proxy = factory.CreateChannel();

     

     

    Of course, now that I'm past that I'm on to the next issue!  The client is trying to use ActiveDirectory to establish Identity for some reason. If I can't figure out why (may be my server certificate?) then I'll start a new thread.

     

    Thanks again!

     

    Boz

    Friday, August 10, 2007 8:48 PM