{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 老娘就宠你 的问题《Returning more verbose error messages from HttpCli》','https://www.manongdao.com/q-1050327.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm writing code against a web server that does client certificate authentication. I make a WebRequestHandler with my certificate chain, pass that into a HttpClient object and then call PostAsync on the HttpClient. This works fine with a valid certificate on the chain of trust that is not revoked. The HttpResponseMessage task faults when the certificate is revoked (as is expected) and Exception member contains this aggregate exception:
An error occurred while sending the request.
The request was aborted: Could not create SSL/TLS secure channel.
My problem is that I need a more verbose error. If I do the same thing (submit the same revoked client certificate) from Chrome I get this error:
ERR_BAD_SSL_CLIENT_AUTH_CERT
And from Internet Explorer:
ERROR_INTERNET_SEC_CERT_REVOKED
How can I get such an error? I need to tell the user not only that it didn't work but WHY. The fact that browsers get a more precise error seems to indicate that more information is coming back that just the fault exception. It doesn't seem to be because of intentional obfuscation.
Code sample:
WebRequestHandler handler = new WebRequestHandler();
if (certCol != null)
{
foreach (X509Certificate2 cert in certCol)
{
handler.ClientCertificates.Add(cert);
}
}
else
{
sLastErr = "Could not find client certificate to communicate. Certificate collection is NULL.";
LogHelper.LogGenericError(
_logger,
sLastErr
);
return false;
}
_HttpClient = new HttpClient(handler);
_HttpClient.PostAsync(uriCM, reqContent).ContinueWith(requestTask =>
{
HttpResponseMessage httpRespContent = null;
bool bSuccess = false;
if (requestTask.IsCompleted)
{
if (requestTask.Status == TaskStatus.RanToCompletion)
{
httpRespContent = requestTask.Result;
bSuccess = true;
}
else if(requestTask.Status == TaskStatus.Faulted)
{
if (requestTask.Exception != null)
{
LogHelper.LogErrorWithAggregateException(_logger, "PostAsync call faulted.", requestTask.Exception);
//exception messages in aggregate exception:
//An error occurred while sending the request.
//The request was aborted: Could not create SSL/TLS secure channel.
}
else
LogHelper.LogError(_logger, "PostAsync call faulted.");
}
else
{
LogHelper.LogError(_logger, "PostAsync call failed.");
}
}
else
{
LogHelper.LogError(_logger, "PostAsync call never completed. Communication Failure.");
}
if (bSuccess)
{
//it worked, do stuff... }
}
});
SslStream throws a Win32 exception that reports that the certificate is revoked if it is revoked. Like the browsers. Seems to be hitting Schannel or some un-managed code at a lower level and piping it up. If HttpClient returns a TLS error, I run my code to try to make a SslStream+TcpClient connection and report the exception. I guess HttpClient just buries the error details and SslStream exposes it in an inner exception. Solves my problem.
Sample code: