The remote certificate is invalid according to the validation procedure

I'm developing a WCF service (NetTcpBinding) and it works just fine without security. We bought a certificate from DigiCert and installed it on the server and configured with DigicertUtil.exe. Also installed on the test client machines.

Turning on the security I'm able to connect to it from my dev PC without problems.

Server config:

   binding.Security.Mode = SecurityMode.Transport;
   binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
   binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;
   ServerHost.Credentials.ServiceCertificate.SetCertificate(
              StoreLocation.LocalMachine,
              StoreName.My,
              X509FindType.FindBySubjectName,
              Properties.Settings.De开发者_JAVA技巧fault.CertificateName);

Client config:

 <binding name="EndPointTCP" closeTimeout="00:01:00" openTimeout="00:01:00"
              receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false"
              hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="1610612736"
              maxReceivedMessageSize="1610612736">
              <readerQuotas maxDepth="32" maxStringContentLength="2147483647"
                maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="false" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Transport">
                <transport clientCredentialType="Certificate"  protectionLevel="EncryptAndSign"/>
              </security>
            </binding>

    <behaviors>
          <endpointBehaviors>
            <behavior name="behavior_ServerService">
              <clientCredentials>
                <clientCertificate findValue="*.domain.com"
                          storeLocation="LocalMachine"
                          storeName="My"
                          x509FindType="FindBySubjectName" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>

<client>
  <endpoint address="net.tcp://clients.domain.com:10001/Server/ServerService"
    binding="netTcpBinding" bindingConfiguration="EndPointTCP" contract="ServerServiceReference.IServerWS"
    name="EndPointTCP" behaviorConfiguration="behavior_ServerService">
    <identity>
      <dns value="*.domain.com" />
    </identity>
  </endpoint>
</client>  

(I modified the domain and service name to keep privacy of the customer.)

Trying it from any other computers I receive the following error on clients:

The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9840000'.

An existing connection was forcibly closed by the remote host

The trace log on the server says:

The remote certificate is invalid according to the validation procedure.

Which is very strange because I use the same certificate on both the sever and the client... (and not to mention the dev pc from which it's working well...)

The error message is the same even if I set

ServerHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the server and

ServiceClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

on the client.

Could anybody tell me how to do it correctly? Of course I do not want to use workarounds like validation callback returning always true or the above non-validated mode.

Any help would be appreciated. Only this 'little' problem should be solved to be able to release... :(

Thanks a lot in advance!

Hudgi

---

It sounds like you are trying to use the same certificate as both a server and client certificate and that your clients do not have the same hostname that the certificate was issued to. Even if you set X509CertificateValidationMode.None, the hostnames must match. If your development machine was the same as the server it would most certainly succeed.

Are you intentionally trying to make clients authenticate to the server over SSL, or are you just trying to establish trust from your clients with the certificate authority?

I also suspect your certificate may not really be a wildcard certificate, if thats the case you are out of luck with using that cert for client authentication.

---

In case if you want to Ignore self-signed or invalid certificates, try this snippet code just before the client call request.

ServicePointManager.ServerCertificateValidationCallback = delegate
(object s, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; };

I hope it helps.