The request was aborted could not create SSL/TLS secure channel - HttpWebRequest

1
votes

I am making a webrequest to an 3rd party api and it was working fine. In between the certificate was changed for the API and now when i make the request from our dev environment, I am getting response as The request was aborted could not create SSL/TLS secure channel. I tried setting different protocol in code and there is no change in the response. I was getting a different error in explorer also. But that was fixed after enabling SSL 3. I am using httpwebrequest in the code. The initial dll was in .net 3.5 and it has been updated to .net 4.6 now. When checking the certificate details in firefox, i can see the certificate is TLS 1.3. As far as i understand it is not supported in .net 4.6.1 as i get protocol not supported error when i set it TLS value. The dev environment is a Windows server 2016. The same API is working in production in Microsoft cloud. Not sure about the exact server version.

Is there any way i can fix this issue.

Update The certificate algorithm was not there in the cipher suites. Followed the below document to add the cipher suite and the issue is now resolved.

https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

2
c#.netssltls1.2tls1.3

2 Answers

3
votes

Unfortunately, you cannot fix this issue yet.

The .NET Framework simply delegates to the underlying Windows platform WinINet/SChannel APIs to make outgoing HTTPS calls, and WinINet/SChannel on Windows Server 2016 has not yet been rolled out with the necessary changes to allow TLS 1.3 outgoing connections.

Applications targeting Framework 4.7.1 and later will automatically use the highest TLS version available on the OS it's running on, and fall back to lower ones if the server you're connecting to doesn't support it, so you won't need the following code (unless your current code [or a dependency] already calls it with a lower version).

If you're stuck on Framework < 4.7.1, you can prepare your code for the eventual Windows updates:

// From .NET Framework 4.8.0, simply use SecurityProtocolType.Tls13
// (or rather don't use this code at all from 4.7.1, configure the TLS versions in the OS)
const SecurityProtocolType tls13 = (SecurityProtocolType)12288;

ServicePointManager.SecurityProtocol = tls13 | SecurityProtocolType.Tls12;

(Some sites may require you to also append | SecurityProtocolType.Tls11, but those sites really should update their servers).

This SecurityProtocolType value of 12288, meaning TLS 1.3, will now be future-proof and passed on to the underlying Windows API layer, but will now throw an exception if the site you're calling only speaks TLS 1.3:

Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

This fix therefore only works after TLS 1.3 support is rolled out to Windows Server.

Windows 10 and Windows Server 1903 have experimental support for this, but if you can't upgrade your .NET Framework from 4.6, I doubt you can install a Windows Server release that uses experimental features.

For more information, see the following references:

0
votes

The certificate algorithm was not there in the cipher suites. Followed the below document to add the cipher suite and the issue is now resolved.

https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls