Question

I ve got a program that calls web services at customer sites, and since the web service is provided by a third party it requires SSL and I can t do anything about it.

In most cases when there is an error it s because there is a self-signed certificate, so I am checking X509Chain.ChainElements.ChainElementStatus for the UntrustedRoot error and just ignoring it.

That s all fine, however I m getting an error from a new client and the ChainElementStatus element just appears to be an empty array. Any thoughts on what might cause that? If I look at the certificate error in IE it just says the certificate was not issued by a trusted CA.

EDIT: Adding the trace as Markus suggested, I see the following error coming back:

DateTime=2009-12-21T21:58:29.8719648Z
System.Net Information: 0 : [0772] SecureChannel#57280435 - Remote certificate has errors: ProcessId=4964 DateTime=2009-12-21T21:59:15.3239262Z System.Net Information: 0 : [0772] SecureChannel#57280435 - An internal certificate chaining error has occurred.
ProcessId=4964
DateTime=2009-12-21T21:59:15.3239262Z
System.Net Information: 0 : [0772] SecureChannel#57280435 - Remote certificate was verified as invalid by the user. ProcessId=4964

Answer 1

Have you tried adding some more logging? That s gotten me out of couple a of related errors in the past (I once spent more hours than I care to remember debugging a certificate related issue only to realize that someone had set the clock forward to a time when my certificate was no longer valid).

I finnaly managed to locate the problem after reading Jeff P Sanders great blog post about the process of debugging certificate related errors. It s written for asp.net clients but it works equally well for regular .net clients.

The core of it is adding a couple of trace listeners to your (App|Web).Config file. The one you re probably going to be most interested in is the tracewriter for System.Net and maybe System.Net.Sockets.

<configuration>
<system.diagnostics>
    <trace autoflush="true" />
    <sources>
        <source name="System.Net">
            <listeners><add name="System.Net"/></listeners>
        </source>
        <source name="System.Net.Sockets">
            <listeners><add name="System.Net"/></listeners>
        </source>
    </sources>
    <sharedListeners>
        <add
             name="System.Net"
             type="System.Diagnostics.TextWriterTraceListener"
             initializeData="System.Net.trace.log"
             traceOutputOptions = "ProcessId, DateTime"
         />
    </sharedListeners>
    <switches>
        <add name="System.Net" value="Verbose" />
        <add name="System.Net.Sockets" value="Verbose" />
    </switches>
</system.diagnostics>
</configuration>

Give it a go and if it doesn t solve your problem you should at least have enough data to update your question with more info.

友情链接