SSL crashes periodically caused by certificate server certificate is not configured properly with HTTP.SYS

0
votes

I'm trying to install a self-host WCF service on a server with Windows Server 2012. I was following these steps:

  1. import my pfx file with mmc

  2. run "netsh http add sslcert ipport=0.0.0.0:49000 certhash=e09280ded2322eb858b38b3250e1a488f797b269 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"

  3. install my service and start it

At first it works well. But after a few hours the ssl crashes and I can only get error msg at client as below

An unhandled exception of type 'System.ServiceModel.CommunicationException' occurred in mscorlib.dll. Additional information: An error occurred while making the HTTP request to https://servername:49000/WCFServiceName. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

run "netsh http delete sslcert ipport=0.0.0.0:49000" and delete the imported pfx and then redo step1 and 2 can make ssl works again, but the problem will still appears in a few hours.

It's definitely not the SecurityProtocol problem, for I have already tried adding

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

before request. And both server and client uses .Net Framework 4.5.2

I've tried "netsh http show sslcert", and got below result:

    IP:port                      : 0.0.0.0:49000
    Certificate Hash             : e09280ded2322eb858b38b3250e1a488f797b269
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

I've tried delete the sslcert binding on port 49000 and created an empty website binding to port 49000 in IIS and make my service listening to that port then. It works the first time and lasted for about a week before the same error pops out.

Where should I begin to locate and solve this wired problem?

1
windowswcfsslcertificate

1 Answers

0
votes

First, we should ensure that the certificate private key could be accessed by WCF. The Network Service account (or Everyone account) should be added in the certificate READ/Writer group, then we run the application (windows service, or console?) with corresponding account.
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-make-x-509-certificates-accessible-to-wcf
Second, as you know, TLS version need OS and Dotnetframework support, the default protocol version is ssl3.0/tls1.0(auto-negotiate, could not be configured). We had better use the latest OS version and .netframework4.7. I think this may be the cause of unstable communications.
Please refer to the below document.
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
Feel free to let me know if the problem still exists.