Could not create SSL/TLS secure channel. SecureChannelFailure

10
votes

I'm getting an SSL error when making a SOAP call with an SSL certificate:

The request was aborted: Could not create SSL/TLS secure channel.

The weird thing is that if I load the certificate in Firefox and visit the endpoint or make a call to the API without sending any data, I don't get any error message and it connects successfully. The company exposing the API has also mentioned that the certificate is kosher.

The certificate I'm loading has full privileges to "Everyone". I've tried every solution I've seen on the internet but still getting the error.

Here is my code that creates the request:

 ServicePointManager.Expect100Continue = true;
 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
 var request = (HttpWebRequest)WebRequest.Create(plugin.EndPoint);
 request.ContentType = "text/xml; charset=utf-8";
 request.Method = "POST";

The code to get the certificate (I've also tried with a pfx):

var cert = new 
 509Certificate2(@"C:\clientcert.p12", "FakePassword");
request.ClientCertificates.Add(cert);

and the code for the request: 

  byte[] byteArray = Encoding.UTF8.GetBytes(xml);
    request.ContentLength = byteArray.Length;
    using (var dataStream = request.GetRequestStream())
                {
                    dataStream.Write(byteArray, 0, byteArray.Length);
                    dataStream.Close();


                    using (WebResponse response = request.GetResponse())
                    {
                        using (var responseStream = response.GetResponseStream())
                        {
                            StreamReader reader = 
new StreamReader(responseStream ?? throw new InvalidOperationException());
                            return reader.ReadToEnd();
                        }
                    }

                }

Edit:

Here is the trace output from running the request:

System.Net Information: 0 : [11844] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown). System.Net Error: 0 : [11844] Exception in HttpWebRequest#63832831:: - The request was aborted: Could not create SSL/TLS secure channel.. System.Net Error: 0 : [11844] Exception in HttpWebRequest#63832831::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

I also changed the SecurityProtocol:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Second Edit: I can get it to work in SoapUI but not in the .NET application by just loading the SSL certificate from the file system in SOAP UI.

3
c#.net
... or make a call to the API without sending any data, I don't get any error message - Are you sure that you actually contact the server in this case? - You could try applying all values to SecurityProtocol as currently its TLS 1.2 or nothing. If you enable Tracing on the request you will get detailed logs.Alex K.
After so much research, this thread work for me!Tuxpilgrim
System.NET tracing said "returned code=CertUnknown", so it must contain other information for you to dig. Similar threads like stackoverflow.com/questions/9858275/… should give you some hints.Lex Li
it is an "it did not work" exception message. Pretty intentional, they don't want to give an attacker too much info about what he did wrong. Enable logging on the other machine so you know exactly what went wrong: support.microsoft.com/en-us/help/260729/… If the log content doesn't help then you now have good info to ask a question at serverfault.comHans Passant

3 Answers

1
votes

Out of interest, your app is using the TLS 1.0, 1.1 and 1.2 protocols, but is its use enabled in Internet Explorer?

If it's not in the web.config, add it

<appSettings>
    <add key="SecurityProtocol" value="Tls12" />
</appSettings>

Then also check it's enabled in IE in the advanced settings tab: "Use TLS 1.2"

0
votes

Your SSL certificate is signed by a root certificate that isn't installed in Windows.

Firefox ships with it's own trusted root cert list that contains the root cert for the cert you're using. Just because Firefox trusts a cert doesn't mean that Windows trusts it.

The solution is to install your cert's root cert or cert chain on the computer running your app.

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development

If this is an app with a wide audience, an easier solution is to switch to an SSL provider that already uses a root cert that ships with Windows.

0
votes

Sometimes I have this error as well. The steps I take to overcome this problem are as follows:

  1. Export your certificate from IIS
  2. Double click the certificate and follow the wizard
  3. Store location 'Local machine' next ->
  4. Fill in the password you have picked during the export
  5. Check the option to place the certificate in a store and choose your 'Trusted Root Certification Authorities'
  6. Finish -> to check if the import was successful type in 'Windows search' 'certmgr.msc' navigate to the 'Trusted Root Certification Authorities' and then the certificates folder. The imported certificate should be present.
  7. Test with your application.

I hope it helps