HttpWebRequest & SSL problems

[Chris]

I have a HttpWebRequest connecting to a SSL server. The server has a
valid Verisign certifcate installed, so no client-side cert is needed. I
am getting intermittent errors when connecting to the server. One in every
five times I try to connect, I see the error:

"The underlying connection was closed: Could not establish secure
channel for SSL/TLS.)"

I tried using a ICertificatePolicy to allow any certificate, but that
didn't work. The funny thing is when I load my own certificate using:

request.ClientCertificates.Add(X509Certificate.CreateFromCertFile("mycert.cer"));

...I never see the error. However, I don't want to ship the app with a
client cert.

Suggestions?

 

[Joerg Jooss]

I have a HttpWebRequest connecting to a SSL server. The server has
a valid Verisign certifcate installed, so no client-side cert is
needed.

This statement makes no sense to me. A client certificate is used to
ensure the client is authentic. That has nothing to do with the fact
that the server is authentic.

I am getting intermittent errors when connecting to the
server. One in every five times I try to connect, I see the error:

"The underlying connection was closed: Could not establish secure
channel for SSL/TLS.)"

I tried using a ICertificatePolicy to allow any certificate, but
that didn't work. The funny thing is when I load my own certificate
using:


request.ClientCertificates.Add(X509Certificate.CreateFromCertFile("myc
ert.cer"));

...I never see the error. However, I don't want to ship the app
with a client cert.

Suggestions?

Well, either the application requires a client certificate or not. Do
you have any information about the server-side code?

Cheers.

 

[Chris]

This statement makes no sense to me. A client certificate is used to
ensure the client is authentic. That has nothing to do with the fact
that the server is authentic.

The application does not require client-side certification. We did have
a server trusted root cert we installed on the client before we obtained a
full blown server SSL cert from Verisign. It's just an odd coincidence that
loading the old trusted root cert into HttpWebRequest's ClientCertificates
makes the errors go away.

Can HttpWebRequest connect directly to an SSL with no problems? This
seems like a weird intermittent problem. We have no problem connecting to
our resources via a web browser. HttpWebRequest should be no different but
we keep getting a, "The underlying connection was closed: Could not
establish secure channel for SSL/TLS.)" error 1 in 5 times. Mainly on
reconnects, the application downloads large files via SSL and can resume.

-- Chris

 

[Joerg Jooss]

The application does not require client-side certification. We
did have a server trusted root cert we installed on the client before
we obtained a full blown server SSL cert from Verisign. It's just an
odd coincidence that loading the old trusted root cert into
HttpWebRequest's ClientCertificates makes the errors go away.

At the end of the day, you can never rule out some weird bug in the
BCL, though I think it's highly unlikely that this is the case. Maybe
the problem disappeared because of a different reason.

Can HttpWebRequest connect directly to an SSL with no problems?

Yes. Provided all that nasty security stuff is set up correctly ;-)

This seems like a weird intermittent problem. We have no problem
connecting to our resources via a web browser. HttpWebRequest should
be no different but we keep getting a, "The underlying connection was
closed: Could not establish secure channel for SSL/TLS.)" error 1 in
5 times. Mainly on reconnects, the application downloads large files
via SSL and can resume.

Comparing a browser with a .NET application is comparing apples to
oranges -- there are two different implementations working under the
hood. Maybe hooking up an SSL proxy or a network sniffer like Ethereal
can shed some light on this.

Cheers,