Secure Web Service - Could not create SSL/TLS secure channel

Question

0.00/5 (No votes)

See more:

I deployed a web service to a secure server, and when I try to add a web reference to that service to a desktop app, the service is found and I get the expected output on the left side of the Add Web Reference dialog box (it shows the name of the service and all of the exposed methods), but I get this error and can't add the reference (the button is disabled):

There was an error downloading 'https://blah.blah/blah/service1.asmx'.<br />
The request was aborted: Could not create SSL/TLS secure channel.<br />
There was an error downloading 'https://blah.blah/blah/service1.asmx/$metadata'.<br />
The request was aborted: Could not create SSL/TLS secure channel.

I found on google that it might be caused by an expired root certificate, but the server in question has over 300 root certificates. How do I find out which root certificate is being used by IIS, and if it's expired, how to modify IIS to use one that ISN'T expired?

In the interest of providing complete info, the web site under which the service is hosted autheticates the user by using a CAC card (it's a DoD thing). I believe that's a X509 thing.

Posted 31-Jan-12 1:55am

#realJSOP

Updated 31-Jan-12 2:15am

v2

Add a Solution

Comments

Espen Harlinn 31-Jan-12 8:39am

Hi John - glad you are back :)
Any reason for using .asmx and not wcf?
wcf is actually easier to configure, .asmx depends on a lot of stuff that can be hard to track down.

Is the .asmx deployed as part of a web app running under the network service user? It's common to find that 'custom' service users has not been configured correctly, depending on your needs for delegation and impersonation, in AD.

#realJSOP 31-Jan-12 9:16am

I'm not "back", I'm just asking a question at the best place I know of to ask a question.

To answer your question, no, there's no reason I chose a non-wcf solution, and I was actually contemplating trying it just to see if it would work any better. What I don't understand is why it lets me see the web methods (meaning it found the service I was after), yet can't create a SSL channel.

Espen Harlinn 31-Jan-12 9:21am

>> I'm not "back"
Pity - you've definitely been a major contributor.

This application of yours, is it running inside a single domain/forest?

#realJSOP 31-Jan-12 9:50am

The web service is on a server, the app is on my local box, on the same domain.

Espen Harlinn 31-Jan-12 9:58am

Good - have you installed the certificate authority's certificate on your computer?

#realJSOP 31-Jan-12 10:04am

Didn't know I had to There's a crap load of CAs on our machines. Crapload = 89.

Espen Harlinn 31-Jan-12 10:09am

It depends, with a Windows enterprise CA, enrollment can also be automatic where group policies are used to auto enroll machine or user certificates ... as I mentioned I've found that deploying WCF solutions are simpler - and they can be complicated enough, depending on how creative the network admins are.

I guess you want impersonation to work too?

#realJSOP 31-Jan-12 11:03am

I don't understand why it doesn't "just work".

Espen Harlinn 31-Jan-12 12:43pm

Have a look at "Simple TLS handshake" at http://en.wikipedia.org/wiki/Transport_Layer_Security
and read:
http://en.wikipedia.org/wiki/Public_key_infrastructure

nagshead_obx 5-Feb-16 14:13pm

I added System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 to the Application_Start of global.asax. How can I check to see if TLS 1.2 works? I unchecked TLS 1.2 on IE Advanced options. I had expected the web page to fail.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Espen Harlinn · Answer 1 · 2012-01-31T04:20:00

Solution 1

Hi john,

I think this article covers the most important steps:
http://www.codeguru.com/csharp/csharp/cs_webservices/security/article.php/c19403[^]

Best regards
Espen Harlinn

Posted 31-Jan-12 4:20am

Espen Harlinn

Member 11149626 · Answer 2 · 2014-11-06T03:55:00

Solution 2

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

added that line to Application_Start of global.asax

Posted 6-Nov-14 3:55am

Member 11149626

Updated 6-Nov-14 3:56am

v2

Comments

ghuleshekhar 19-Mar-16 3:21am

thanks ... it work :-)

carceb 17-Jul-19 14:41pm

Thank you very much, my problem was that in Visual Studio 2019 when I try to connect to the Web Service through a third-party API, the following error occurred: "The request was aborted: Could not create SSL/TLS secure channel" with your suggestion the problem was fixed, again thank you very much, you are the best.