Problem connecting over SSL


#1

I followed the directions at http://docs.couchbase.com/developer/dotnet-2.1/configuring-ssl.html to configure SSL but am not able to execute a query.

The setup:

var configuration = new ClientConfiguration
{
    UseSsl = true
};

ClusterHelper.Initialize(configuration);
using (var bucket = ClusterHelper.GetBucket("default"))
{
    var query = bucket.CreateQuery("myDesignDoc", "myViewName");
    var result = bucket.Query<dynamic>(query);
}

Looking at the debugger, it shows that bucket.IsSecure is true. Also, query.UseSsl is true.

However, no rows are returned in the result and it has a StatusCode of “ServiceUnavailable” and an Exception of “The request was aborted: Could not create SSL/TLS secure channel.”

This is using .NET 4.5.2, Couchbase SDK 2.1.1, and Couchbase Enterprise Edition 3.0.3.


#2

@chrisgh -

Have you installed the certificate on the machine running the client code?

-Jeff


#3

Yes, following the steps in the linked documentation.

  1. Copied self-signed certificate from admin console>Settings>Cluster>Certificate
  2. Saved to .crt file.
  3. Imported via Certificates MMC to the Trusted Root Certificate Authorites\Certificates (import successful and see the cert in the list)
  4. Restarted CouchbaseServer windows service (just in case)

Both the client and server are running on the same machine (my local development desktop.)


#4

@chrisgh -

That looks correct. What OS are you using? Note that the server only supports TLS and not SSL3.

Checkout this SO post: http://stackoverflow.com/questions/2859790/the-request-was-aborted-could-not-create-ssl-tls-secure-channel

-Jeff


#5

The OS is Windows 8.1 Pro (64-bit).

I tried using the ServicePointManager (we actually do this with other projects for development purposes), but that didn’t solve the issue either.

private static bool AlwaysAcceptCertificate(
    object sender, 
    X509Certificate certificate, 
    X509Chain chain, 
    SslPolicyErrors policyErrors)
{
    return true;
}

then before ClusterHelper.Initialize(configuration):

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback += 
    new RemoteCertificateValidationCallback(AlwaysAcceptCertificate);

Breakpoint inside AlwaysAcceptCertificate is never hit.

I’ve also tried rebooting my machine (just in case).

There is an error in the Windows System logs (which I haven’t Googled yet):
“A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 801.”


#6

@chrisgh -

Have you made in progress on this?

-Jeff


#7

Unfortunately, no. This was part of an evaluation of the technology so it wasn’t something that was necessarily critical. I’m confident that, if nothing else, we’d be able to get it working in a production environment, so I’ve moved on for now.

Thanks.


#8

@chrisgh -

Ok, if you feel that it’s a bug or discover the solution, please either create a Jira ticket or post your work-around/fix.

Thanks!

-Jeff