1

I have a C# MVC application (.NET framework 4.6.2) with a WCF (soap based) web service located at /webservice inside the application. The WCF web service is for a 3rd party vendor to call and push their data to. We have the application in a test environment on a Windows Server 2016 server with ports 80 and 443 open and our certs aren't selfsigned and valid. When we test the service using SoapUI, we are able to correctly get to the WCF web service and post the test data to the server but when our vendor posts the data from their Java application they get "Connection Reset". We've removed all authentication and are just trying to get them to reach the WCF but our IIS logs and application logs don't even show them hitting our server. SoapUI (both inside and outside our network/firewall) is able to hit the service correctly. Our web.config looks like this:

<system.serviceModel>
<diagnostics>
  <messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="3000"/>
</diagnostics>
<bindings>
  <basicHttpBinding>
    <binding name="basicBinding" textEncoding="utf-8" openTimeout="00:03:00" closeTimeout="00:03:00"/>
  </basicHttpBinding>
</bindings>
<services>
  <service behaviorConfiguration="serviceBehavior" name="WebServiceUniqueName">
    <endpoint address="/endpoint/soap" binding="basicHttpBinding" bindingConfiguration="basicBinding" name="soapEndpoint" bindingNamespace="https://test.site.com/webservice" contract="Our.Namespace.ISoapContract"/>
    <endpoint address="mex" binding="mexHttpBinding" name="mexEndpoint" contract="IMetadataExchange"/>
    <host>
      <baseAddresses>
        <add baseAddress="/webservice/servicename"/>
      </baseAddresses>
    </host>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="serviceBehavior">
      <serviceMetadata externalMetadataLocation="https://test.site.com/webservice/content.xml"
        httpGetEnabled="true" />
      <serviceDebug httpHelpPageEnabled="false" includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"/>

and the code for our WCF looks like this:

[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(Namespace = "https://test.site.com/webservice")]
public class MyService : ISoapContract
{
    public DataResponse SubmitData(DataRequest input)
    {
        // Code here
    }
}

namespace Our.Namespace
{
    [ServiceContract(Namespace = "https://test.site.com/webservice")]
    [XmlSerializerFormat]
    public interface ISoapContract
    {
        [OperationContract(Name = "SubmitData")]
        [XmlSerializerFormat]
        DataResponse SubmitData(DataRequest input);
    }
}

Our server works with TLS 1.2 and falls back to 1.1 (exactly what the vendor is expecting). Our firewall isn't showing anything being blocked and the "Connection Reset" message is within the first few seconds of their request. The 3rd party is able to access the WSDL from their browsers, so all of this leads me to believe there is something failing during the handshake. SoapUI is coming through and that runs on Java, so we are really stumped at this point. Does Java calling a C# WCF application require something extra? Is there a way to capture a handshake attempt?

Update after more testing:

We took Sambit's advice and used the Microsoft web service client and that worked without any problems. We created another test WCF and also created an app that called our server and put both in Azure without any problems. We could reach our web service but the vendor still can't reach the server. We added more logging and looked at the firewall and the traffic from the vendor was getting through the firewall and to the server but was reporting "TCP reset from server".

The 3rd party vendor's application was hosted in a shared environment and they are able to run commands on their server but they can't change any code to log extra information. They were able to ping our server and run the following command:

nc -zv (server_url) 443

And that connected successfully but when they attempted to get the cert from the server, that failed:

openssl s_client -tls1_2 -showcerts -connect (server_url):443

CONNECTED(00000003) write:errno=104

--- no peer certificate available

--- No client certificate CA names sent

Improve this question
4
  • Is it soap based web service ? Commented Jun 1, 2019 at 19:31
  • Yes, this is soap based. (I will update the question.) Commented Jun 1, 2019 at 19:33
  • 1
    If you have a wsdl file, you can use Apache Axis2 and can generate the stub classes using wsdl2java in Apache Axis2 and test. There is also a legacy .Net webservice client which can be downloaded from Microsoft site for testing the soap web service to get more clarity. Commented Jun 1, 2019 at 19:36
  • Cool! Thank you for the suggestion, @Sambit. I will look into that right now. Commented Jun 1, 2019 at 19:38

1 Answer 1

Reset to default
1

After help from a lot of really smart people on both sides, the problem ended up being Server Name Indication (SNI):

https://en.wikipedia.org/wiki/Server_Name_Indication

The vendor's application is running an old version of Java that doesn't understand/support SNI and they aren't able to upgrade at this time.

Our server admins dedicated an IP on our Windows Server for the domain being called by the vendor and disabled SNI for that particular domain. We are now able to receive the vendor's web server calls without any problems.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.