Visa Developer Community

Regular Visitor

could not create ssl/tls secure channel web service

Hi everyone. Need some help over here.

As some of you faced before, I'm currently facing the same issue when consuming visa sandbox api from a C# console code (the sample project downloaded from visa). I know I have set the certificate correctly because it works perfectly when I consume the API from SoapUi. I've tried setting explicitly to use the TLS 1.2, but still does not work.

 

Thanks in advance

11 REPLIES 11
Highlighted
Visa Dev Moderator

Re: could not create ssl/tls secure channel web service

Hi @manuel,

 

Please check if the traffic is being sent over from TLS version 1.2. If you are testing using SoapUI, please check if the following VM option is added to this file SoapUI-x.y.z.vmoptions.


-Dsoapui.https.protocols=TLSv1.2 should go into the file as a line item.

 

 

 

 

Thanks,
Diana

Regular Visitor

Re: could not create ssl/tls secure channel web service

Hi @DianaTran-Yee:

 

Thanks for you reply.

 

I think I'm getting closer. I see I'm now getting a response from visa but is not the one I want yet.

When I first started my test I was able to run the HelloWorld sample from SoapUi, but I could not make it from .NET Console Application. While trying to make it work I made lots of request from the console application, I believe (not sure) if my user got blocked because now (i made some changes in my code) that I getting a response from visa I got the message "Expected input credential was not present" from both the console application & soap ui.

 

This is how it looks like:

 

Capture.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Is it posibble my user got blocked? Or something I'm missing went wrong?

 

Thanks,

manuel

Visa Dev Moderator

Re: could not create ssl/tls secure channel web service

Hi @manuel,

 

Usually occurs when the client certificates are not sent.

  • Keystore is not setup. Certificates are not in the keystore
    • For java keystore (jks) run keytool command and verify all the certificates have been imported on the keystore
      • keytool -list -v -keystore keystore.jks
    • For a p12 execute the following openssl command:
      • openssl pkcs12 -info -in keyStore.p12
  • Client certificates not sent along with the request because of networking issues on the client side
  • Splunk error message: MSG=Request doesn't contain wsi_client_cert header
  • In SOAPUI check File->Settings->SSL Settings and make sure the KeyStore and KeyStore Password are populated in Soap UI

KeyStore_KeyStore Password Populated.png

  • Check SSL Info Tab in SOAP UI Response and verify you have a Local Certificate 1 , Local Certificate 2 followed by Peer Certificate 1 and Peer Certificate 2

Peer Cert image2018-8-1_12-0-18.png

Usually occurs when the incorrect method is used for example GET instead of POST.

  • Verify Raw tab in SOAP UI and check the method

Check Post image2018-8-1_12-0-30.png

Thanks,
Diana

Visa Dev Moderator

Re: could not create ssl/tls secure channel web service

Hi @manuel,

 

Please also try the following to resolve the 400-9124 error. 

If you are using SOAP UI, please make sure to select "Authenticate pre-emptively" under "Auth (Basic)" tab.          

authenticate pre-emptively.jpg

 

  • Also, please double check in the request raw tab that the "Authentication Basic" is present. 

check authorization.jpg

 

Please follow the getting started guide and read the Two-Way SSL (Mutual Authentication) guide: https://developer.visa.com/vdpguide#twoway_ssl_mutual_authentication   

 

If you continue to get this issue, please provide us the correlation ID and we can further investigate the issue.

 

Below are the steps to get the Correlation ID using a Google Chrome browser.

1>Open Chrome menu.

2>Click on More tools then Developer tools.

3>Check the box to Preserve Log for the Network Tab.

4>Click on the error and go to the Headers.

5>You can find the Correlation ID in the network log.

 

 

Thanks,
Diana

Regular Visitor

Re: could not create ssl/tls secure channel web service

Hi @DianaTran-Yee:

 

Thank you for taking your time by replying my doubts.

I haven't found the solution to properly run the C# Code Sample that I downloaded from the VISA Developer Github account.

 

Nevertheless, I have gone futher and I started "watching" the packages going through the network with WireShark and the error I'm getting when invoking VISA Api's is: TCP duplicate ack. As I said in my previous post, from SoapUi I can perfectly consume the API. This is what is looks like the response once I call the Api with the SoapUI:

 

SoapUi OK.PNG

And these are the packages related to the previous call:

Wireshark OK.PNG

But when it comes to consume the Api from the console application WireShark shows me the following errors:

 

Wireshark bad.PNGAs you can see the network error message is: TCP Dup ACK, on the other hand, the error I'm getting directly in .net is: The request was aborted: Could not create SSL/TLS secure channel.

 

I need some help. I haven't done any changes to the code I downloaded. 

Thanks in advance,

Visa Dev Moderator

Re: could not create ssl/tls secure channel web service

Hi @manuel,                             

 

It's common to have a small number of TCP Dup Acks in Wireshark. However, if you're seeing lots of TCP Dup Acks, then that's a problem that you'll want to look into further.

 

Try the following to resolve the issue:
· Try narrowing down what could be causing the TCP Dup Acks.
· Try updating the drivers.
· Is it a bad wireless connection or are you having any interference? Check that your WiFi connection is good. You can also try connecting/trying another WiFi service, as well.
· Is it bad cabling? Check the cables connecting the devices to the switch or try switching out the cables if you think their faulty.

 

To further investigate, please provide me with the following information from SoapUI:

1. End Point
2. Request Header
3. Request Body
4. Response Header (include the x-correlation-id)
5. Response Body

Using SoapUI, you can find the x-correlation-id in the Raw Tab of the response header.

 

 

 

 

 

Thanks,
Diana

Regular Visitor

Re: could not create ssl/tls secure channel web service

Hi @DianaTran-Yee!

 

It's now working! I had to make some few changes to the original code.

It was a certificate problem, I dont know why the certificate I insatalled at the begining it was not being added correctly to the request, hence the message: "could not create ssl/tls secure channel".

 

CaptureCertificate.PNG

 

Now I have the response I was expecting

CaptureResponse.PNG

Thanks for your help & time!

regards

 

Visa Dev Moderator

Re: could not create ssl/tls secure channel web service

Hi @manuel,

 

That's so exciting and I'm so happy to hear that it's working as expected! Thanks for letting me know it's now successfully working and for the screenshot photos too. I'm always interested to hear about how the code testing progress is going and how you reached the resolution.

 

 

 

 

Thanks,
Diana

Regular Visitor

Re: could not create ssl/tls secure channel web service

McDVOICE


@manuel wrote:

Hi everyone. Need some help over here.

As some of you faced before, I'm currently facing the same issue when consuming visa sandbox api from a C# console code (the sample project downloaded from visa). I know I have set the certificate correctly because it works perfectly when I consume the API from SoapUi. I've tried setting explicitly to use the TLS 1.2, but still does not work.

 

Thanks in advance


 


Problem solved, Seems a Intermediate Certificate was missing, Imported it into Intermediate Certificates in MMC, and all was good 🙂