Click here to Skip to main content
15,884,176 members
Search within:


[Solved] could not create SSL/TLS secure channel
Please Sign up or sign in to vote.
0.00/5 (No votes)
I've got a .Net 4.5 web api project that needs to send out an HttpWebRequest with a certificate. I'm able to get everything to work in Postman (Postman | API Development Environment[^]), but can't get my code to work. I keep getting this error: System.Net.WebException: 'The request was aborted: Could not create SSL/TLS secure channel.'

I've confirmed that my certificate is correct and I can see in debug that it is loading into the request object properly. I've even tried both load it from a pfx file and from the store.

When googling, there are a lot of results. Most seem to be fixed by specifying
C#
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

or a version of it, using pipe symbols to include all protocols. It's worked for others because .Net 4.5 doesn't default to use TLS 1.2, so this is manually forcing it to be used. So I'm pretty sure I need it, but it didn't fix the error for me. :(

Also googled and found this doc, TLS-SSL Settings | Microsoft Docs[^], which talks about changing settings in the registry to enable Tls 1.2. I have also tried this, and it hasn't fixed it.

I'm at my wits end. Does anyone have any other ideas? If not on how to solve it, even to get more information about why it's failing?

Any help would be appreciated.

C#
//Convert object to json
string json = JsonConvert.SerializeObject(objCustomObject);

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.Expect100Continue = true;
ServicePointManager.DefaultConnectionLimit = 9999;

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestPath); // path starts with https://
request.Method = "POST";
request.ContentType = "application/json";

//Get certificate
X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySubjectName, "mycertsubjectname",false);

//Associate the collection of certificates to the request
request.ClientCertificates = collection;

//Add headers
request.Headers.Add("CUSTOM-HEADER-1", "headerValue1");
request.Headers.Add("CUSTOM-UNIX-EPOCH-TIMESTAMP-HEADER", "1557515741"); // unixEpochTimestamp);
request.Headers.Add("CUSTOM-HEADER-3", "headerValue3");


//write to request
StreamWriter writer = new StreamWriter(request.GetRequestStream());
writer.Write(json);
writer.Close();


//get response
HttpWebResponse response = (HttpWebResponse)request.GetResponse(); // ERROR: ' The request was aborted: Could not create SSL/TLS secure channel.'


What I have tried:

Tried adding this an some other Service Point Manager stuff.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Tried changing registry settings per instructions from TLS-SSL Settings | Microsoft Docs[^].

Tried different techniques adding the certificate.

A coworker tried converting our .Net 4.5 project to a .Net 4.6 project...didn't work.

Tried running VS as admin.

Tried adding permissions to the certificate in the cert manager.
Posted
Updated 20-May-19 4:17am
v3
Add a Solution
Comments
Richard Deeming 16-May-19 14:51pm    
You need to find out which version(s) of TLS are supported by the server, and make sure those protocols are enabled for client requests on your computer.

There may also be a mis-match between the enabled ciphers on the client and the server.

Assuming it's a public site, the Qualys SSL test[^] will give you lots of details about what's enabled on the server.
Kschuler 16-May-19 15:15pm    
Dude. Thank you for pointing out this tool. Awesome. Unfortunately, it only confirms that I'm after TLS 1.2. I'll dig into the ciphers and see what I can find there. Thanks again, though!

2 solutions

My coworker figured it out. Turns out our machines had defined a minimum key length that wasn't small enough for the third party that we are trying to hit. We had a min of 2048 and they were expecting 1024. It can be fixed by changing/adding the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman


ClientMinKeyBitLength
REG_DWORD
0x00000400
 
Share this answer
 
Posted
Try running Visual Studio as administrator.
 
Share this answer
 
Posted
Comments
Kschuler 16-May-19 14:32pm    
Tried it. Didn't work.
#realJSOP 16-May-19 14:49pm    
Are you traversing a F5 load balancer?
Kschuler 16-May-19 15:03pm    
No idea about the F5 load balancer. Hitting a third party.

They did specify that I should be using TLS 1.2, though.
#realJSOP 16-May-19 15:06pm    
I work for the DoD and we had to create a proxy in order to traverse our load balancer. We use X509 as well, and send a certificate to the remote web service. Maybe just send one cert?
Kschuler 16-May-19 15:52pm    
Not sure what you mean by "just send one cert". I put it into a "collection" because that's what form it needs to be when connecting it to the request object. But it's still the same certificate values as when I pull from one pfx file instead.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 20 May 2019
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900