WCF consuming external Java WebService with HTTPS and proxy

I have a WCF service that consumes a Web Service (developed in Java) where I need to connect with HTTPS using a certificate. So far everything works fine, however, in production environment my client uses a proxy and I am not able to establish an SSL connection through the proxy.

My web Binding.development environment config (which works) looks like this: 

<system.serviceModel>
<bindings>
  <customBinding>
    <binding name="DOCeManagerServiceSoap12Binding">
      <textMessageEncoding messageVersion="Soap12"/>
      <httpsTransport />
    </binding>
  </customBinding>
</bindings>
<client>
  <endpoint address="https://example.com.br:443/DFeWeb/services/DOCeManagerService.DOCeManagerServiceHttpsSoap12Endpoint/"
    behaviorConfiguration="TestServiceBehavior" binding="customBinding"
    bindingConfiguration="DOCeManagerServiceSoap12Binding" contract="DOCeManagerService.DOCeManagerServicePortType"
    name="DOCeManagerServiceHttpsSoap12Endpoint">
  </endpoint>
</client>
<behaviors>
  <endpointBehaviors>
    <behavior name="TestServiceBehavior">
      <clientCredentials>
        <clientCertificate findValue="01FE53"
                           storeName="TrustedPublisher"
                           storeLocation="LocalMachine"
                           x509FindType="FindBySerialNumber"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior>
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="true" />
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

In the production environment I tried to modify only this point: 

<httpsTransport bypassProxyOnLocal="true" proxyAddress="http://proxy.example.corp:8080" useDefaultWebProxy="false" >

I get the following error:

Could not establish trust relationship for the SSL / TLS secure channel with authority 'subdominio.example.com.br'. the underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure."

I have tried numerous settings but none of them solved my problem.

Update 1: I was thinking that the problem was related to the fact that I am making an SSL connection through a proxy that does not support SSL, however, if I Port my code to a console and inform the proxy I can make the connection and consume the method. In this way, I did not understand how I managed to connect with SSL through an http proxy by AppConsole and WCF does not. Any ideas?

Update 2: on recommendation of colleagues I tried to run the service in IIS with my own user (the same one I got SSL connection through AppConsole), but I do not know if I did it right or if something is missing, the service is unavailable (Service Unavailable). If someone has already done this and can help me it would be of good use to eliminate the possibility.

Update 3: I updated the error message I get when I try to connect by adding InnerException. When it says "the remote certificate is invalid according to the validation procedure." does it refer to the server that I am consuming the service?

Author: Maniero, 2014-01-31
Source

3 answers

It's not the first time I've seen this kind of situation happening.

We often forget to plan the environment where our application will run and let this common type of situation go unnoticed.

Since the proxy was not provided, the network can be configured to free access from your application/machine / port so that authentication to the proxy is not required.

If this is not possible, you need to configure an authentication type programmatically.

Your config should look something like this: 

    <bindings>
        <customBinding>
            <binding name="...2Soap12">

                <textMessageEncoding messageVersion="Soap12"/>
                <httpsTransport authenticationScheme="...." requireClientCertificate="???"/>
            </binding>
        </customBinding>
    </bindings>

And the client that will make the call must be configured with an appropriate authentication type (plain, kerberos, etc): 

client.ClientCredentials = ???

But I leave the alert that hitting all these settings is laborious on the first attempt and that is why I recommend avoiding the proxy at once.

 3
Author: Raul Almeida, 2014-02-04 15:42:38

Given the error message displayed, a response in the stackoverflow.com that you should pay attention to some hypotheses among them that the new computer does not have the certification chain that brings reliability to the certificate you are using.

If this is not the case, the answer lists other points that you can check. If you have difficulty in English, signal.

 2
Author: Raul Almeida, 2017-05-23 12:37:23

After much research and help from colleagues in the community, I found that the problem was the lack of configuration of Winhttp (Microsoft Windows HTTP Services) that does not use the same proxy configuration for users or that is in IE, It is as if it were something separate, only for services. Basically you need to configure whenever a service communicates over HTTP for external access via proxy.

Below I will put the procedures I performed in the environment (server 2003) through the tool "proxy.cfg.exe "

  1. run the Command prompt with administrator rights
  2. to view the current configuration, enter only the tool name proxycfg.exe.
  3. to set up a proxy, use the proxycfg.exe -p proxy.example.com:8080 "<local>" Command. Be careful to replace the proxy correctly. The last parameter "<local>" is optional and equals where the proxy should be ignored.
  4. restart IIS and you're done!

For windows 2008 things change a little, proxycfg no longer exists and the configuration is given by "netsh.exe "

  1. run the Command prompt or power shell with administrator rights
  2. to view the current configuration, enter the command netsl.exe Winhttp show proxy.
  3. to set up a proxy, use the netsh.exe Winhttp set proxy proxy.example.com:8080 "<local>" command. The last parameter "<local>" is optional and equals where the proxy should be ignored.
  4. restart IIS e Hello!

Well for my case this was enough to get to eliminate the error message:

Could not establish trust relationship for the SSL / TLS secure channel with authority 'subdominio.example.com.br'. the underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure."

No Stackoverflow.com there is a answer passed by colleague Raul Almeida that describes possible problems, even mentions this one that I posted. If you have the same error message and could not resolve with this procedure that I described, I recommend taking a look at this answer !

Fontes:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa382925(v=vs. 85).aspx
http://technet.microsoft.com/library/cc731131(WS.10).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384069(v=vs. 85).aspx

I hope to help someone with this!

 1
Author: Eric, 2017-05-23 12:37:23