I have a c# app that calls a web service method that authenticates using a certificate. The code works, because when it is installed on server A (without a proxy) it authenticates.
When I install the code on server B, at client site, its installed behind a proxy. I've really tried almost everything but I keep getting this error:
Could not create SSL/TLS 开发者_开发知识库secure channel
Do you think this issue can be caused by a proxy server? If you've had any personal experience with this please share.
Thanks
In my experience, nearly all such messages are due to some machine in the chain (client, proxy, server) not "liking" a certificate for some reason.
To elaborate on what twk said, if you're using self-signed certificates, or your own CA, you need to install the signing cert in the trusted authorities store on the server at least, and possibly on the proxy.
Common problems I've encountered:
- The certificate on the server is not signed by an authority that the PROXY or the CLIENT trusts
- The certificate on the CLIENT is not signed by an authority that the PROXY or the SERVER trusts
- Oops, I forgot to export the private key when I created the cert to be installed on the client
- My process does not have read permissions to the private key on the client
- The client certificate is password protected and I didn't specify credentials when reading the certificate.
I was having the same problem. In my case the certificates need the Network service access. You can check by
- Open certificate MMC
- Navigate to Certificates (Local Computer) > Personal > Certificates
- Right click on your certificate and select All Tasks> Manage Private Keys… from the context menu
- Set the appropriate permission
If your certificate is not trusted (is self signed) then C# client will refuse to connect.
Add this to the constructor:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
My answer is similar to that of Snakebyte. In my case the certificate's private key needs the IIS_IUSRS user access.
- Open certificate MMC
- Right click on your certificate and select All Tasks> Manage Private Keys… from the context menu
- Add the IIS_IUSRS user and set the appropriate permissions.
精彩评论