Problem connecting over SSL

chrisgh · June 10, 2015, 9:52pm

I followed the directions at http://docs.couchbase.com/developer/dotnet-2.1/configuring-ssl.html to configure SSL but am not able to execute a query.

The setup:

var configuration = new ClientConfiguration
{
    UseSsl = true
};

ClusterHelper.Initialize(configuration);
using (var bucket = ClusterHelper.GetBucket("default"))
{
    var query = bucket.CreateQuery("myDesignDoc", "myViewName");
    var result = bucket.Query<dynamic>(query);
}

Looking at the debugger, it shows that bucket.IsSecure is true. Also, query.UseSsl is true.

However, no rows are returned in the result and it has a StatusCode of “ServiceUnavailable” and an Exception of “The request was aborted: Could not create SSL/TLS secure channel.”

This is using .NET 4.5.2, Couchbase SDK 2.1.1, and Couchbase Enterprise Edition 3.0.3.

jmorris · June 10, 2015, 10:04pm

@chrisgh -

Have you installed the certificate on the machine running the client code?

-Jeff

chrisgh · June 10, 2015, 10:14pm

Yes, following the steps in the linked documentation.

Copied self-signed certificate from admin console>Settings>Cluster>Certificate
Saved to .crt file.
Imported via Certificates MMC to the Trusted Root Certificate Authorites\Certificates (import successful and see the cert in the list)
Restarted CouchbaseServer windows service (just in case)

Both the client and server are running on the same machine (my local development desktop.)

jmorris · June 10, 2015, 10:24pm

@chrisgh -

That looks correct. What OS are you using? Note that the server only supports TLS and not SSL3.

Checkout this SO post: http://stackoverflow.com/questions/2859790/the-request-was-aborted-could-not-create-ssl-tls-secure-channel

-Jeff

chrisgh · June 11, 2015, 2:06pm

The OS is Windows 8.1 Pro (64-bit).

I tried using the ServicePointManager (we actually do this with other projects for development purposes), but that didn’t solve the issue either.

private static bool AlwaysAcceptCertificate(
    object sender, 
    X509Certificate certificate, 
    X509Chain chain, 
    SslPolicyErrors policyErrors)
{
    return true;
}

then before ClusterHelper.Initialize(configuration):

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback += 
    new RemoteCertificateValidationCallback(AlwaysAcceptCertificate);

Breakpoint inside AlwaysAcceptCertificate is never hit.

I’ve also tried rebooting my machine (just in case).

There is an error in the Windows System logs (which I haven’t Googled yet):
“A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 801.”

jmorris · June 16, 2015, 6:25pm

@chrisgh -

Have you made in progress on this?

-Jeff

chrisgh · June 16, 2015, 6:43pm

Unfortunately, no. This was part of an evaluation of the technology so it wasn’t something that was necessarily critical. I’m confident that, if nothing else, we’d be able to get it working in a production environment, so I’ve moved on for now.

Thanks.

jmorris · June 16, 2015, 8:50pm

@chrisgh -

Ok, if you feel that it’s a bug or discover the solution, please either create a Jira ticket or post your work-around/fix.

Thanks!

-Jeff