Unable to Establish a Secure Channel from Windows Service to Web Service via HTTPS

[Rob]

Hello,

We have a Windows 2003 Server that is running .Net Framework 1.1. We have a
web service running on this server. The server is configured to support SSL.
We are not running a load-balanced server farm.

We have several client machines running in various networks around the
country. Each has internet connectivity. Each has the server certificate
installed. Each establishes a secure connection to the web service.

Each client machine is running a Windows service that was written in VB.Net.
This service periodically polls the web service for information. The polling
logic uses a proxy class that was generated with the WSDL utility. We have
created a CertificatePolicy to validate the server certificate, and we have
verified that the certificate policy is getting called. The server
certificate is valid.

Several of our client machines report the following error intermittently.

"The underlying connection was closed. Could not establish secure channel
for SSL/TLS."

We report events such as this via the same web service that could not
establish the connection. Also, we record the events in the event log. We
are not missing events between the two reporting mechanisms. It is
interesting that the first attempt to communicate with the web service fails
with the error
that is reported above, but the second attempt, which reports the error,
succeeds.

This appears to be the stale connection error that has been reported in many
newsgroups.

We have verified that FIPS is disabled in the local security policy's system
cryptography section on all of our client machines.

What else can I do to resolve this problem?

Activelyx

 

[Steven Cheng[MSFT]]

Hi Activelyx ,

Welcome to the MSDN newsgroup.
From your description, you have one ASP.NET webservice deployed on one
server machine, and some other client machines use a windows service to
periodically call it. However, on some machines it occasionly report the

"The underlying connection was closed. Could not establish secure channel
for SSL/TLS." error, also another webservice call (to the same webservice)
to log the error always succeed, correct?

If anything I misunderstood, please feel free to let me know. If this is
the case, it really seems abit strange since the webmethod call to the same
webservice result different result. Does the problem always occur on only
some certain client machines and some other client machine always work
well? Also, on the problem client machine, is there any difference with
the webmethod call which raise the error and the webmethod call which log
the error? In addition, can you find any log entries in the webservice
server's IIS log related to the error client machine's requests?

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Rob]

Hi Stephen,

Thanks for your response.

I have reviewed the web server logs for the last couple of days for the time
periods when the error occurred. I see web service calls every 5 minutes
from each client machine. Only one per machine, every 5 minutes. I see no
HTTP errors, only 200s.

Our web service has one method, ProcessRequest. We send this method
different XML data using an schema that defines the tasks. Tasks might be
"report new data", or "record alert message", etc. The web service validates
the XML that it receives using the schema and deserializes the XML into an
object graph which is used to process the request.

So when the windows service gets an exception, it reports the error to the
same web service web method, but using a different XML data stream.
Therefore, I always see a message every 5 minutes from each machine. The
message might be a "report new data" request, or a "record exception
message" request. I cannot differentiate between them in the web server log,
but I see what's happening in our database, because the "report new data"
requests and "record exception message" requests are written to our database
by the web service.

My hypothesis is that an open connection has gone stale. A windows service
in the client machine tries to establish a secure connection with the web
service, and an exception occurs. The exception is handled in the windows
service, and the message is reported via another secure connection to the
same web service, only this time, a new connection is used. So it succeeds.
So I see a request in the web server log every 5 minutes from each client
machine.

If I was going to implement retry logic when this error occurs, the second
attempt would probably work. I believe that this is the case, because the
exception is reported to the web service successfully every time the error
occurs. But I don't need retry logic, because each client machine retries
every 5 minutes anyway.

We thought the problem might have been caused by wireless routers at the
client machine sites. So we replaced those, and we still see the problem.
However, we replaced them with VOIP routers. I will get the make and model
for you.

Regards,

ActivelyX

 

[Steven Cheng[MSFT]]

Thank for your respone and the further description,

I think your analysis on the stale connection and retrying is reasonable.
And I also agree that this is somewhat depend on the network environment
and the code logic should be ok. Anyway, if you got any further finding
,please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)