I’m trying to set up a simple Hello World web service and client using an SSL connection, using VB.NET. When the client attempts to call the Web Method, I get this error: “System.Net.WebException: The underlying connection was closed: Could not establish trust
relationship with remote server.” This connection will work if I use regular http:// as opposed to https://, and it also works if I use a windows application instead of a web application. I don’t need to use client certificates, but if it’s necessary for the
connection I can. From what I’ve seen, this is a fairly common problem, but I still haven’t found a solution that works! I’ve tried credentials, certificates, and impersonation, and nothing seemed to help. Thank you for any help! I’m really at a loss here.
Michael Davis
Have you created the certificate yourself? If yes, it suppose it always shows you the confirmation box when you are trying to access the resource (with browser) using https saying that certification authority is not trusted? Anyway, I had same sort of problem
with self-issued certificates. Solution was to implement my own Certificate validation policy. I just wanted to get SSL work with self-issued certificates so I did it easy way(there's good example in .NET Framework: ICertificatePolicy interface's docs). First
I created class like this:
Imports System
Imports System.Net
Imports System.Security.Cryptography.X509Certificates
Public Class MyCertificateValidation
Implements ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As ServicePoint, _
ByVal cert As X509Certificate, ByVal request As WebRequest, ByVal problem As Integer) _
As Boolean Implements ICertificatePolicy.CheckValidationResult
'Return true to specify that certificate is always validated
Return True
End Function
End Class
Then used it in client application before calling web service(my client was ASP.NET page using WebRequests as I was testing this functionality):
ServicePointManager.CertificatePolicy = New MyCertificateValidation()
ASP.Net cannot negotiate a secure connection over https. This is by design. Read the below article: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318103 Be advised that creating a certificatevalidation class and setting it to always return true does
not provide a secure connection and will allow any certificate to validate. If your going to do this, what is the point of using https at all?
If certificate is valid (trusted authority and so on), it will create connection just fine without any tricks. Article you pointed concerns only and only client certificates (and in this case there were not them in use). For example this works fine:
Dim objReq As HttpWebRequest = WebRequest.Create("https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0110&toc=w252677830110000&email=")
Dim objResp As HttpWebResponse = CType(objReq.GetResponse(), HttpWebResponse)
Dim reader As New IO.StreamReader(objResp.GetResponseStream)
Dim str As String = reader.ReadToEnd
reader.Close()
objResp.Close()
Response.Write(str)
If
issuer is non-trusted authority and you connect to there, I understand the non-secure point but if you know the issuer or if it is yourself (you create client applications also), this approach is just fine. Point is to make the traffic encrypted and even with
self-issued certificates it is just that. The certificate validation class does not prevent the connection to be secure in encrypted way it just validates if the certificate itself is valid. Certainly invalid certificates are security risk, but if the only
"problem" is just that you yourself are not trusted authority but certificate is otherwise OK it is no more security risk than using any other certificate (certificate of trusted root authority).
I'm having this same issue, but it's a little odd: 1. ASP.NET app consumes web service 2. Web service is on the SAME server 3. The server uses SSL Now, the app and service were both created using an untrusted certificate, and there was no problem. Recently,
however, the certificate was renewed. For some reason the app-service connection does not work now. I tried the ICertificatePolicy approach, but it did not solve the problem. Are there any other reasons that I would get this? Most examples I've seen are making
explicit HTTP calls. I am merely accessing a web service. I understand that the calls in the proxy class make the explicit calls, but some fixes that I've seen are to these calls directly. Has anyone seen any other solutions to this problem? Thanks.
I was having a similar problem--attempting to POST to a CGI script on another server with https--and creating the MyCertificateValidation class solved the problem. But... can someone give me a good explanation of how and why this works? Preferably in laymen's
terms =) Thanks,
Thanks for the response. One question: I created the class, but what is the following line: ServicePointManager.CertificatePolicy = New MyCertificateValidation() When I add that line I get an error that ServicePoint is not defined. What am i supposed to put
there? Thanks in advance!
PhoenixDream...
Member
10 Points
2 Posts
Please Help!! "Could not establish trust relationship" using SSL
Aug 01, 2002 05:30 PM|LINK
joteke
All-Star
46284 Points
6896 Posts
ASPInsiders
MVP
Re: Please Help!! "Could not establish trust relationship" using SSL
Aug 02, 2002 08:45 AM|LINK
Imports System Imports System.Net Imports System.Security.Cryptography.X509Certificates Public Class MyCertificateValidation Implements ICertificatePolicy Public Function CheckValidationResult(ByVal srvPoint As ServicePoint, _ ByVal cert As X509Certificate, ByVal request As WebRequest, ByVal problem As Integer) _ As Boolean Implements ICertificatePolicy.CheckValidationResult 'Return true to specify that certificate is always validated Return True End Function End ClassThen used it in client application before calling web service(my client was ASP.NET page using WebRequests as I was testing this functionality):Teemu Keiski
Finland, EU
PhoenixDream...
Member
10 Points
2 Posts
Re: Please Help!! "Could not establish trust relationship" using SSL
Aug 02, 2002 04:07 PM|LINK
SKillick
Member
5 Points
1 Post
Re: Please Help!! "Could not establish trust relationship" using SSL
Oct 23, 2002 02:50 PM|LINK
joteke
All-Star
46284 Points
6896 Posts
ASPInsiders
MVP
Re: Please Help!! "Could not establish trust relationship" using SSL
Oct 23, 2002 04:26 PM|LINK
Dim objReq As HttpWebRequest = WebRequest.Create("https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0110&toc=w252677830110000&email=") Dim objResp As HttpWebResponse = CType(objReq.GetResponse(), HttpWebResponse) Dim reader As New IO.StreamReader(objResp.GetResponseStream) Dim str As String = reader.ReadToEnd reader.Close() objResp.Close() Response.Write(str)If issuer is non-trusted authority and you connect to there, I understand the non-secure point but if you know the issuer or if it is yourself (you create client applications also), this approach is just fine. Point is to make the traffic encrypted and even with self-issued certificates it is just that. The certificate validation class does not prevent the connection to be secure in encrypted way it just validates if the certificate itself is valid. Certainly invalid certificates are security risk, but if the only "problem" is just that you yourself are not trusted authority but certificate is otherwise OK it is no more security risk than using any other certificate (certificate of trusted root authority).Teemu Keiski
Finland, EU
ciddivine
Member
70 Points
14 Posts
Re: Please Help!! "Could not establish trust relationship" using SSL
Mar 31, 2003 11:15 PM|LINK
AHYEEE
Member
40 Points
8 Posts
Re: Please Help!! "Could not establish trust relationship" using SSL
Jul 03, 2003 01:23 AM|LINK
Student/Web Developer
Yu_Matrix
Member
40 Points
8 Posts
Re: Please Help!! "Could not establish trust relationship" using SSL
Aug 01, 2003 03:26 AM|LINK
Yu_Matrix
Member
40 Points
8 Posts
Re: Please Help!! "Could not establish trust relationship" using SSL
Aug 01, 2003 06:47 AM|LINK
dpruitt
Member
180 Points
36 Posts
Re: Please Help!! "Could not establish trust relationship" using SSL
Oct 14, 2003 03:52 AM|LINK