SSL Authenticated SOAP Request works in SoapUI but not through code

  • I am connecting to a SOAP webservice that requires SSL authentication. I (the web service client) have a .pfx file and provided the public certificate for that file to the company whose web service I am accessing. I am able to send a successful SOAP request to their web service through SoapUI (after configuring SoapUI to use the .pfx).

    Now I am trying to send the same request through code (VB.NET) but having trouble connecting. The error message I get after invoking the request is: "The request was aborted: Could not create SSL/TLS secure channel."

    In code, I have a proxy class for the web service that inherits SoapHttpClientProtocol. The code that sets up the SSL and invokes the request is as follows:

    <System.Web.Services.Protocols.SoapDocumentMethodAttribute("UpdateLeadByDMS_v1", Use:=System.Web.Services.Description.SoapBindingUse.Literal, _
            ParameterStyle:=System.Web.Services.Protocols.SoapParameterStyle.Bare), _
            CaptureMessageExtension()>
        Public Function UpdateLeadByDMS_v1(ByVal leadPushRequest As LeadPushRequest) As LeadPushResponse
            Dim store As X509Store = Nothing
            Try
                store = New X509Store(StoreName.My, StoreLocation.LocalMachine)
                store.Open(OpenFlags.OpenExistingOnly Or OpenFlags.ReadOnly)
                Const thumbprint As String = "36C82D8E7BAEEB2E9B88F4748CB60AE6E0A89F64"
                Dim certCollection As X509Certificate2Collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, False)
                If certCollection.Count > 0 Then
                    Dim cert As X509Certificate2 = certCollection(0)
                    Me.ClientCertificates.Add(cert)
                End If
            Finally
                If store IsNot Nothing Then
                    store.Close()
                End If
            End Try
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
            Dim results() As Object
            Try
                results = Me.Invoke("UpdateLeadByDMS_v1", New Object() {leadPushRequest})
            Catch ex As Exception
                SendError(New Exception(ex.Message))
                Throw
            End Try
    
            Return CType(If(results IsNot Nothing, results(0), Nothing), LeadPushResponse)
        End Function
    

    I've tracked both requests in WireShark and seen the following TLS handshake steps:

    SoapUI - Works SoapUI Wireshark Capture - Works

    Code - Fails SSL authentication Code Wireshark Capture - Fails

    Does anybody have an idea of why one would succeed while the other fails? It looks to me like the code is failing during the clients authentication of the server... but I have already tried setting the ServicePointManager.ServerCertificateValidationCallback delegate to return true and that did not change anything.

    Thank you for any insight you can provide!

    EDIT: Here is the information from the last TLS packet in the network logs. It is the ServerHello and Certificate handshake parts from the server. There was no errors that I saw. Last TLS packet After that there was only the following communications between the client and server: last communication between server and client

    You need to take a look inside the packet and see the specific error, then tell us the ***exact*** phrase used to describe it (or include here a snapshot of it).

    @DarkLighting I edited my post to include that info. I used Microsoft Network Monitor instead of WireShark this time, which is why it looks a little different.

  • Jordan

    Jordan Correct answer

    6 years ago

    I figured it out! The SSL handshake was failing on my (client) side because the client certificate did not have the right permissions for the account that was running the web application. I was able to find this out by looking in 'Windows Event Viewer' under 'Windows Logs --> System'. There I saw an error stating: "A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10003."

    Googling that error state brought me to this forum post (https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates) which said that it was a permissions error. Whatever account was running the application could not access the private key of the certificate. To fix this I simply gave read permission for my client certificate to the correct account through MMC in Windows. This post provides some insight on how to do that: https://stackoverflow.com/questions/2609859/how-to-give-asp-net-access-to-a-private-key-in-a-certificate-in-the-certificate

    Hopefully this helps someone in the future! Remember to check your permissions!

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used