unable to post a https WebRequest in .net?

Question

Hi i am encountering problems trying to post a WebRequest under Https.

i received the following errors

1.-The underlying connection was closed: Unable to connect to the remote server.

2.-the operation TimeOut

3-The underlying connection was closed: Could not establish secure channel for SSL/TLS.

i tried with about 3 or 4 different proxies of my company and the customer company and not even when i am directly with the ISP provider with no restrictions, i get the above errors when executing the following method

WebRequest.GetRequestStream() 

this occurs behind a proxy or not, the request can only be succesfully post from one single PC which is behind a proxy. the proxy doesn't have a client certificate installed.

this is under .net framework 1.1 and the request already contains network credentials.

what could be?

Update

the inner exception the 3rd error is the following: The function completed successfully, but must be called again to complete the context

according to iisper.h documentation this error belongs to the

//
// MessageId: SEC_I_CONTINUE_NEEDED
//
// MessageText:
//
//  The function completed successfully, but must be called
//  again to complete the context
//
#define SEC_I_CONTINUE_NEEDED            ((HRESULT)0x00090312L)

on MSDN this refers to

SEC_I_CONTINUE_NEEDED The client must send the output token to the server and wait for a return token. The returned token is then passed in another call to InitializeSecurityContext (Schannel). The output token can be empty.

does this means the PC lacks a client certificate?

Answer 1

There are a whole number of things that could be complicating things, as far as inconsistencies with the SSL certs, etc. But first, you should do some basic debugging to rule out the obvious things:

-- Did you try sending a simple web request to other servers? Try both (unsecured) http and (secured) https

-- Did you try connecting from another computer, or from another network? You mentioned that the client is behind a proxy; try a computer w/o a proxy first, to rule that out.

-- Are you making multiple WebRequests within the session? There is a hard-limit on the number of open requests, so make sure you're closing them after you get the WebResponse. Perhaps make a test program with just one request.

If that doesn't narrow it down, then it's probably something more complicated, with their the server or the proxy. You can track outgoing network packets with a program such as netshark to try to track down where things are getting stuck.

Answer 2

You could make a trace of the HTTP traffic using Fiddler or a network packet sniffing tool like Ethereal Whireshark on the machine where it is working, and on one of the other machines, and compare the results. This is fairly low-level, but might throw some light on the issue.

Answer 3

• If you can telnet from different machines to 443 then it is not the first two, as that means the client machine is receiving requests on that port.

On windows that would be

telnet <domainname> 443

and if it connects the screen will go blank (hit return a few times to exit)

• The proxies may or may not actually care about your request if it is under HTTPS as they can't read it.

• Do the other machines have the client certificate and the certificate chain installed?

Answer 4

The SSL certificate name probably doesn't match. This is often the case with selfsigned certificates.

The solution is to write your own authentication routine where you either always return true or do the necessary authentication to make sure the certificate is valid.

// .NET 2.0+
...
ServicePointManager.ServerCertificateValidationCallback += MyValidationCallback
...
public bool MyValidationCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors err)
{
  return true;
}

// .NET 1.1
public class MyCertificatePolicy : ICertificatePolicy
{
  public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
  {
    return true;
  }
}
...
ServicePointManager.CertificatePolicy = new MyCertificatePolicy();
...