"Could not establish secure channel for SSL/TLS" in .NET CF application on smart phone
- by Stefan Mohr
I have a stubborn communications issue with an application running on the .NET Compact Framework 3.5 on Windows Mobile smartphones.
I am constructing a web request using this code:
UTF8Encoding encoding = new System.Text.UTF8Encoding();
byte[] Data = encoding.GetBytes(HttpUtility.ConstructQueryString(parameters));
httpRequest = WebRequest.Create((domain)) as HttpWebRequest;
httpRequest.Timeout = 10000000;
httpRequest.ReadWriteTimeout = 10000000;
httpRequest.Credentials = CredentialCache.DefaultCredentials;
httpRequest.Method = "POST";
httpRequest.ContentType = "application/x-www-form-urlencoded";
httpRequest.ContentLength = Data.Length;
Stream SendReq = httpRequest.GetRequestStream();
SendReq.Write(Data, 0, Data.Length);
SendReq.Close();
HttpWebResponse httpResponse = (HttpWebResponse)httpRequest.GetResponse();
return httpResponse.GetResponseStream();
The web service functions by receiving a JSON-encoded document as part of the URL (eg. https://site.com/ws/sync??document={"version":"1.0.0","items":[{"item_1":"item1"}]}&user=usr&password=pw), and as a response receives another JSON document as response data.
This code runs fine on all emulators and PDAs running WM 5 and 6. We have seen an issue with a couple of customers running Treo smartphones (and only on the Sprint network). We have tested the code on an identical device on the AT&T network (via DeviceAnywhere) and once again the code worked as we expected.
This has to be some sort of security policy on the phone, but we've been unable to determine a workaround or diagnose it thoroughly as we cannot reproduce it in house and have had to resort to getting users to assist with running test drivers for us.
When this code executes, the user's device throws the following exception:
System.Net.WebException
Could not establish secure channel for SSL/TLS
Stack trace: at System.Net.HttpWebRequest.finishGetRequestStream()
at System.Net.HttpWebRequest.GetRequestStream()
at OurApp.GetResponseStream(String domain, Hashtable parameters)
inner exception:
System.IO.IOException
Authentication failed because the remote party has closed the transport stream.
Stack trace: at System.Net.SslConnectionState.ClientSideHandshake()
at System.Net.SslConnectionState.PerformClientHandShake()
at System.Net.Connection.connect(Object ignored)
at System.Threading.ThreadPool.WorkItem.doWork(Object o)
at System.Threading.Timer.ring()
Examining the server Apache logs shows no hits from the user's IP - I don't think the device is even attempting to send a packet before failing.
If relevant, the server is running Apache on Linux and is written using the TurboGears Python framework.
The server certificate is issued by a CA and is still valid.
The test driver where this error was copied from was not code signed, however the same error (without the error messages) is signed with a GeoTrust certificate so we don't believe this is a code signing issue.
The application installs and launches without issue on all phones - it's just establishing this SSL connection that is breaking for these users.
One significant issue in troubleshooting is that there is a substantial inconvenience each time we try out a solution (need to find a "volunteer" customer), so we're really looking for a silver bullet or a better understanding of the handshaking process so we can be reasonably confident we only need to ask the user to test it one or two more times.
One final mention: we have tried the sync both over ActiveSync and also over GPRS with identical results.
Any thoughts would be greatly appreciated!
