question

ArjunPujar-0655 avatar image
0 Votes"
ArjunPujar-0655 asked PengDing-MSFT commented

ServicePointManager.ServerCertificateValidationCallback not executing when two threads(Main + background therad) trying to access a server.

Hi,

I have a WCF service hosted as Windows Service with Https. with a self-signed certificate.

I have a client(Windows Application), where-in I am trying to communicate with above service. I have mechanism in my client to verify the availability of the service and every call with 2 second delta period, will invoke the Service API in background thread.

While doing a very specific operation, the same service API(as mentioned above) will get invoked in main thread as well.

We have implemented a delegate to verify server certificate by hooking to ServicePointManager.ServerCertificateValidationCallback which works fine in all machines(Mostly our internal domain machines) except a workgroup machine. All these machines are running in Windows 10.

Problem Statement: In workgroup machine, for a very first call to my service, I am getting:

SecurityNegotiationException occurred: Could not establish trust relationship for the SSL/TLS secure channel with authority 'desktop-#####:5001'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.*

On subsequent calls, everything works fine. The moment I close my client application and starts again(which will make first call to service), same issue happens again.

Some analysis inputs: The moment I remove the call to service from background thread, everything works fine. The moment I bring a call from background thread to service, invocation of delegate happens for background thread but not for main thread(I found this based on custom logging).

Questions:
1. Why my delegate is not invoked to validate server certificate from main thread ?
2. Why WCF framework handling certificate error, even though we have our own Certificate Handler(delegate)
3. When I comment-out a call from background thread, delegate is invoked to validate server certificate. and succeeds.
4. Why this issue is happening only in workgroup machine?

Note:
1. This problem is same when I always tried returning true from delegate(which is against a security rule)
2. Service is running in the same workgroup machine where client runs.



windows-wcf
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ArjunPujar-0655 , This issue may be related to the version of TLS, you can refer to"Transport Layer Security (TLS) best practices with the .NET Framework".


0 Votes 0 ·

Hi @PengDing-MSFT , Thanks for the input, I verified the workgroup machine and TLS 1.2 is enabled. Client and Server is responding with the same version which I have verified with a tool.
And just to re-iterate, this issue happens with only during first call to server and sub-sequent calls will occur without any issue.

0 Votes 0 ·

0 Answers