Using System.Net tracing to determining if SSL connection has been established with the server
For a detailed blog article on how to use System.Net Tracing go here
https://blogs.msdn.com/dgorti/archive/2005/09/18/471003.aspx
Please note that this feature is available in versions of the .Net Framework 2.0 (and above).
In this concrete example I'll be using HttpWebRequest, but you can use any other System.Net API that supports SSL. As an example I shall use the following post:
https://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=340950&SiteID=1
The customer is attempting to access an https site but is getting a socket error: An existing connection was forcibly closed by the remote host. We enable tracing and the last thing we see in the log is:
System.Net Information: 0 : [3284] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 197368:1ff9d60, targetName = 212.77.100.18, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3284] InitializeSecurityContext(In-Buffer length=9, Out-Buffer length=182, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [3284] Socket#49212206::Send()
System.Net.Sockets Verbose: 0 : [3284] Data from Socket#49212206::Send
[ ……Here we receive data: omitting for clarity…..]
System.Net.Sockets Error: 0 : [3284] Exception in the Socket#49212206::Receive - An existing connection was forcibly closed by the remote host
System.Net.Sockets Verbose: 0 : [3284] Exiting Socket#49212206::Receive() -> 0#0
System.Net.Sockets Verbose: 0 : [3284] Socket#49212206::Dispose()
System.Net Error: 0 : [3284] Exception in the HttpWebRequest#33574638:: - The underlying connection was closed: An unexpected error occurred on a send.
System.Net Error: 0 : [3284] Exception in the HttpWebRequest#33574638::EndGetResponse - The underlying connection was closed: An unexpected error occurred on a send.
So how do we know what happened? In most cases we will see certificate errors and it will be easy to determine the cause, but in this case we do not see any. Why? The answer is that we were not able to successfully establish secure connection with the server – the ssl negotiation didn’t succeed and the server closed the connection. This s is the reason why the CertificateValidationCallback was not called at all - the server closed the connection before sending the certificates. In this case the problem was indeed the server: we try to use TLS first and if it doesn’t succeed we try to use SSL3 but the server immediately dropped the connection. So we explicitly set the protocol to be SSL3.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3; which resolved the problem. Now you could see the certificates in there
System.Net Information: 0 : [0780] Remote certificate: [Version]
V1
[Subject]
E=mzielinski@wp-sa.pl, CN=w.wp.pl, OU=Pion Technologii Informatycznej, O=Wirualna Polska S.A., L=Gdansk, S=Pomorskie, C=PL
Simple Name: w.wp.pl
Email Name: mzielinski@wp-sa.pl
DNS Name: w.wp.pl.
[Issuer]
E=mzielinski@wp-sa.pl, CN=Wirtualna Polska Private Certification Centre Class 2, OU=Pion technologii Informatycznej, O=Wirtualna Polska S.A., L=Gdansk, S=Pomorskie, C=PL
Simple Name: Wirtualna Polska Private Certification Centre Class 2
Email Name: mzielinski@wp-sa.pl
DNS Name: Wirtualna Polska Private Certification Centre Class 2
[Signature Algorithm]
md5RSA(1.2.840.113549.1.1.4)
[Public Key]
Algorithm: RSA
Length: 1024
Key Blob: 30 81 89 02 81 81 00 bf ff ab 80 08 bb 39 e1 c0 97 64 75 1e ac ee 5e b8 84 8c eb e9 26 25 a5 77 6d 66 fa d3 dd 71 41 b5 87 8a 1f d4 08 8c ba 40 c....
………….
You can also see the certificate errors clearly logged.
System.Net Information: 0 : [0780] SecureChannel#34576242 - Remote certificate has errors:
System.Net Information: 0 : [0780] SecureChannel#34576242 - Certificate name mismatch.
System.Net Information: 0 : [0780] SecureChannel#34576242 - A certificate chain could not be built to a trusted root authority.
System.Net Information: 0 : [0780] SecureChannel#34576242 - A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Now the negotiation won’t succeed because of certificate errors which you could clearly see described in the log.