The request was aborted Could not create SSL TLS secure channel

Question

My customer has informed my of issues with their SSL and Internet Explorer  They said they get trust issues when accessing the URL    I am accessing JSON through HTTPS  The website sits on one server and I am using the console app on my local machine  I am trying to bypass the SSL Cert  however  my code still fails   Can I alter HttpWebRequest to fix this problem   I get this error using this code          You must change the URL to point to your Web server          HttpWebRequest req    HttpWebRequest WebRequest Create url           req Method    GET           req AllowAutoRedirect   true              allows for validation of SSL conversations         ServicePointManager ServerCertificateValidationCallback   delegate   return true               WebResponse respon   req GetResponse            Stream res   respon GetResponseStream             string ret               byte   buffer   new byte 1048           int read   0          while   read   res Read buffer  0  buffer Length    gt  0                          Console Write Encoding ASCII GetString buffer  0  read                ret    Encoding ASCII GetString buffer  0  read                     return ret

User · Answer

Another possible cause of the The request was aborted  Could not create SSL TLS secure channel error is a mismatch between your client PC s configured cipher suites values  and the values that the server is configured as being willing and able to accept   In this case  when your client sends the list of cipher suites values that it is able to accept in its initial SSL handshaking negotiation  Client Hello  message  the server sees that none of the provided values are acceptable  and may return an  Alert  response instead of proceeding to the  Server Hello  step of the SSL handshake   To investigate this possibility  you can download Microsoft Message Analyzer  and use it to run a trace on the SSL negotiation that occurs when you try and fail to establish an HTTPS connection to the server  in your C  app      If you are able to make a successful HTTPS connection from another environment  e g  the Windows XP machine that you mentioned -- or possibly by hitting the HTTPS URL in a non-Microsoft browser that doesn t use the OS s cipher suite settings  such as Chrome or Firefox   run another Message Analyzer trace in that environment to capture what happens when the SSL negotiation succeeds   Hopefully  you ll see some difference between the two Client Hello messages that will allow you to pinpoint exactly what about the failing SSL negotiation is causing it to fail   Then you should be able to make configuration changes to Windows that will allow it to succeed   IISCrypto is a great tool to use for this  even for client PCs  despite the  IIS  name    The following two Windows registry keys govern the cipher suites values that your PC will use    HKLM SOFTWARE Policies Microsoft Cryptography Configuration SSL 00010002 HKLM SYSTEM CurrentControlSet Control Cryptography Configuration Local SSL 00010002   Here s a full writeup of how I investigated and solved an instance of this variety of the Could not create SSL TLS secure channel problem  http   blog jonschneider com 2016 08 fix-ssl-handshaking-error-in-windows html

User · Answer

The root of this exception in my case was that at some point in code the following was being called   ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3    This is really bad  Not only is it instructing  NET to use an insecure protocol  but this impacts every new WebClient  and similar  request made afterward within your appdomain   Note that incoming web requests are unaffected in your ASP NET app  but new WebClient requests  such as to talk to an external web service  are    In my case  it was not actually needed  so I could just delete the statement and all my other web requests started working fine again  Based on my reading elsewhere  I learned a few things    This is a global setting in your appdomain  and if you have concurrent activity  you can t reliably set it to one value  do your action  and then set it back  Another action may take place during that small window and be impacted  The correct setting is to leave it default  This allows  NET to continue to use whatever is the most secure default value as time goes on and you upgrade frameworks  Setting it to TLS12  which is the most secure as of this writing  will work now but in 5 years may start causing mysterious problems  If you really need to set a value  you should consider doing it in a separate specialized application or appdomain and find a way to talk between it and your main pool  Because it s a single global value  trying to manage it within a busy app pool will only lead to trouble  This answer   https   stackoverflow com a 26754917 7656  provides a possible solution by way of a custom proxy   Note I have not personally implemented it

User · Answer

I had cert in store and on file  I tried to connect with file and got this error message  When I used the one in the store it worked  My best guess is that some sort of conflict arose as a result of the cert being in store when I wanted to use the one on file   A different service on the same machine used the cert in store and I had developed a different service using the cert on file  Worked like a charm on dev until test

User · Answer

I had this problem because my web config had    lt httpRuntime targetFramework  4 5 2    gt    and not    lt httpRuntime targetFramework  4 6 1    gt

User · Answer

I had to enable other security protocol versions to resolve the  issue       ServicePointManager SecurityProtocol   SecurityProtocolType Tls           SecurityProtocolType Tls11           SecurityProtocolType Tls12           SecurityProtocolType Ssl3

User · Answer

None of the answers worked for me   This is what worked   Instead of initializing my X509Certifiacte2 like this      var certificate   new X509Certificate2 bytes  pass     I did it like this      var certificate   new X509Certificate2 bytes  pass  X509KeyStorageFlags MachineKeySet   X509KeyStorageFlags PersistKeySet   X509KeyStorageFlags Exportable     Notice the  X509KeyStorageFlags Exportable     I didn t change the rest of the code  the WebRequest itself       I m not even sure the first two lines are necessary  ServicePointManager Expect100Continue   true   ServicePointManager SecurityProtocol   SecurityProtocolType Tls12   request    HttpWebRequest WebRequest Create string Format  https    0  sii cl cvc cgi dte of solicita folios   server    request Method    GET   request Referer   string Format  https   hercules sii cl cgi AUT2000 autInicio cgi referencia https    0  sii cl cvc cgi dte of solicita folios   servidor   request UserAgent    Mozilla 4 0   request ClientCertificates Add certificate   request CookieContainer   new CookieContainer     using  HttpWebResponse response    HttpWebResponse request GetResponse             etc        In fact I m not even sure that the first two lines are necessary

User · Answer

The approach with setting   ServicePointManager SecurityProtocol   SecurityProtocolType Tls12   Seems to be okay  because Tls1 2 is latest version of secure protocol  But I decided to look deeper and answer do we really need to hardcode it   Specs  Windows Server 2012R2 x64   From the internet there is told that  NetFramework 4 6  must use Tls1 2 by default  But when I updated my project to 4 6 nothing happened  I have found some info that tells I need manually do some changes to enable Tls1 2 by default   https   support microsoft com en-in help 3140245 update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi  But proposed windows update doesnt work for R2 version  But what helped me is adding 2 values to registry  You can use next PS script so they will be added automatically   Set-ItemProperty -Path  HKLM  SOFTWARE Wow6432Node Microsoft  NetFramework v4 0 30319  -Name  SchUseStrongCrypto  -Value  1  -Type DWord Set-ItemProperty -Path  HKLM  SOFTWARE Microsoft  NetFramework v4 0 30319  -Name  SchUseStrongCrypto  -Value  1  -Type DWord   That is kind of what I was looking for  But still I cant answer on question why NetFramework 4 6  doesn t set this    Protocol value automatically

User · Answer

Please see below link once  SecurityProtocolType SsL3 is now old   http   codemust com poodle-vulnerability-fix-openssl

User · Answer

This worked for me   ServicePointManager Expect100Continue   true              ServicePointManager SecurityProtocol   SecurityProtocolType Tls                      SecurityProtocolType Tls11                      SecurityProtocolType Tls12                      SecurityProtocolType Ssl3

User · Answer

The default  NET ServicePointManager SecurityProtocol uses SSLv3 and TLS  If you are accessing an Apache server  there is a config variable called SSLProtocol which defaults to TLSv1 2  You can either set the ServicePointManager SecurityProtocol to use the appropriate protocol supported by your web server or change your Apache config to allow all protocols like this SSLProtocolall

User · Answer

Also received  Could not create SSL TLS secure channel  error   This is what worked for me  System Net ServicePointManager SecurityProtocol    System Net SecurityProtocolType 3072

User · Answer

Delete this option from registry helped me in Windows Server 2012  HKEY LOCAL MACHINE SYSTEM CurrentControlSet Control SecurityProviders SCHANNEL KeyExchangAlgorithms

User · Answer

After many long hours with this same issue I found that the ASP NET account the client service was running under didn t have access to the certificate  I fixed it by going into the IIS Application Pool that the web app runs under  going into Advanced Settings  and changing the Identity to the LocalSystem account from NetworkService   A better solution is to get the certificate working with the default NetworkService account but this works for quick functional testing

User · Answer

Another possibility is that the code being executed doesn t have the required premissions   In my case  I got this error when using Visual Studio debugger to test a call to a web service  Visual Studio wasn t running as Administrator  which caused this exception

User · Answer

If you are running your code from Visual Studio  try running Visual Studio as administrator  Fixed the issue for me

User · Answer

In my case  the service account running the application did not have permission to access the private key  Once I gave this permission  the error went away    mmc certificates Expand to personal select cert right click All tasks Manage private keys Add

User · Answer

As long as this is a relatively  live  link I thought I would add a new option   That possibility is that the service is no longer supporting SSL 3 0 due to the problem with the Poodle attack   Check out the Google statement on this   I encountered this problem with several web services at once and realized something had to be going on   I switched to TLS 1 2 and everything is working again   http   googleonlinesecurity blogspot com 2014 10 this-poodle-bites-exploiting-ssl-30 html

User · Answer

Try this   ServicePointManager SecurityProtocol   SecurityProtocolType Tls12

User · Answer

The problem you re having is that the aspNet user doesn t have access to the certificate   You have to give access using the winhttpcertcfg exe  An example on how to set this up is at  http   support microsoft com kb 901183  Under step 2 in more information  EDIT  In more recent versions of IIS  this feature is built in to the certificate manager tool - and can be accessed by right clicking on the certificate and using the option for managing private keys   More details here  https   serverfault com questions 131046 how-to-grant-iis-7-5-access-to-a-certificate-in-certificate-store 132791 132791

User · Answer

I found the type of certificate also comes into play   I had a cert that was    the below output was in mmc   certificate properties    Digital Signature  Key Encipherment  a0    the below output was from my C  code below   X509Extension X509KeyUsageExtension KeyUsages  KeyEncipherment  DigitalSignature  X509KeyUsageExtension KeyUsages X509KeyUsageFlags CrlSign  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DataEncipherment  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DecipherOnly  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DigitalSignature  True  X509KeyUsageExtension KeyUsages X509KeyUsageFlags EncipherOnly  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyAgreement  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyCertSign  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyEncipherment  True  X509KeyUsageExtension KeyUsages X509KeyUsageFlags None  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags NonRepudiation  False   the above did not work                                    Then another certificate with     the below output was in mmc   certificate properties    Certificate Signing  Off-line CRL Signing  CRL Signing  06    the below output was from my C  code below   X509Extension X509KeyUsageExtension KeyUsages  CrlSign  KeyCertSign  X509KeyUsageExtension KeyUsages X509KeyUsageFlags CrlSign  True  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DataEncipherment  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DecipherOnly  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DigitalSignature  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags EncipherOnly  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyAgreement  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyCertSign  True  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyEncipherment  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags None  False  X509KeyUsageExtension KeyUsages X509KeyUsageFlags NonRepudiation  False   and it did work  The below code will allow you to inspect your client certificate  using System  using System Collections Generic  using System Linq  using System Security Cryptography  using System Security Cryptography X509Certificates  using System Text   namespace MyNamespace       public static class SecurityShower               public static void ShowHttpWebRequest System Net HttpWebRequest hwr                        StringBuilder sb   new StringBuilder                if  null    hwr                                sb Append  -----------------------------------------------HttpWebRequest    System Environment NewLine                   sb Append string Format  HttpWebRequest Address AbsolutePath   0     hwr Address AbsolutePath    System Environment NewLine                   sb Append string Format  HttpWebRequest Address AbsoluteUri   0     hwr Address AbsoluteUri    System Environment NewLine                   sb Append string Format  HttpWebRequest Address   0     hwr Address    System Environment NewLine                    sb Append string Format  HttpWebRequest RequestUri AbsolutePath   0     hwr RequestUri AbsolutePath    System Environment NewLine                   sb Append string Format  HttpWebRequest RequestUri AbsoluteUri   0     hwr RequestUri AbsoluteUri    System Environment NewLine                   sb Append string Format  HttpWebRequest RequestUri   0     hwr RequestUri    System Environment NewLine                    foreach  X509Certificate cert in hwr ClientCertificates                                        sb Append  START                                                                         ShowX509Certificate sb  cert                       sb Append  END                                                                                                  string result   sb ToString                Console WriteLine result                      public static void ShowCertAndChain X509Certificate2 cert                        X509Chain chain   new X509Chain                chain ChainPolicy RevocationFlag   X509RevocationFlag EntireChain              chain ChainPolicy RevocationMode   X509RevocationMode Offline              chain ChainPolicy VerificationFlags   X509VerificationFlags AllFlags                   chain ChainPolicy VerificationFlags   X509VerificationFlags IgnoreCtlSignerRevocationUnknown  amp  amp                  X509VerificationFlags IgnoreRootRevocationUnknown  amp  amp                  X509VerificationFlags IgnoreEndRevocationUnknown  amp  amp                  X509VerificationFlags IgnoreCertificateAuthorityRevocationUnknown  amp  amp                  X509VerificationFlags IgnoreCtlNotTimeValid               chain Build cert                ShowCertAndChain cert  chain                      public static void ShowCertAndChain X509Certificate cert  X509Chain chain                        StringBuilder sb   new StringBuilder                if  null    cert                                ShowX509Certificate sb  cert                              if  null    chain                                sb Append  -X509Chain Start -    System Environment NewLine                       sb Append string Format  Cert ChainStatus   0     string Join      chain ChainStatus ToList       System Environment NewLine                    foreach  X509ChainStatus cstat in chain ChainStatus                                        sb Append string Format  X509ChainStatus    0  -  1     cstat Status ToString    cstat StatusInformation    System Environment NewLine                                      X509ChainElementCollection ces   chain ChainElements                  ShowX509ChainElementCollection sb  ces                   sb Append  -X509Chain End -    System Environment NewLine                              string result   sb ToString                Console WriteLine result                      private static void ShowX509Extension StringBuilder sb  int x509ExtensionCount  X509Extension ext                        sb Append string Empty   System Environment NewLine               sb Append string Format  --------X509ExtensionNumber Start   0    x509ExtensionCount    System Environment NewLine               sb Append string Format  X509Extension Critical   0     ext Critical    System Environment NewLine                AsnEncodedData asndata   new AsnEncodedData ext Oid  ext RawData               sb Append string Format  Extension type   0    ext Oid FriendlyName    System Environment NewLine               sb Append string Format  Oid value   0    asndata Oid Value    System Environment NewLine               sb Append string Format  Raw data length   0   1    asndata RawData Length  Environment NewLine    System Environment NewLine               sb Append asndata Format true    System Environment NewLine                X509BasicConstraintsExtension basicEx   ext as X509BasicConstraintsExtension              if  null    basicEx                                sb Append  -X509BasicConstraintsExtension-    System Environment NewLine                   sb Append string Format  X509Extension X509BasicConstraintsExtension CertificateAuthority   0     basicEx CertificateAuthority    System Environment NewLine                              X509EnhancedKeyUsageExtension keyEx   ext as X509EnhancedKeyUsageExtension              if  null    keyEx                                sb Append  -X509EnhancedKeyUsageExtension-    System Environment NewLine                   sb Append string Format  X509Extension X509EnhancedKeyUsageExtension EnhancedKeyUsages   0     keyEx EnhancedKeyUsages    System Environment NewLine                   foreach  Oid oi in keyEx EnhancedKeyUsages                                        sb Append string Format  ------------EnhancedKeyUsages Oid FriendlyName   0     oi FriendlyName    System Environment NewLine                       sb Append string Format  ------------EnhancedKeyUsages Oid Value   0     oi Value    System Environment NewLine                                                X509KeyUsageExtension usageEx   ext as X509KeyUsageExtension              if  null    usageEx                                sb Append  -X509KeyUsageExtension-    System Environment NewLine                   sb Append string Format  X509Extension X509KeyUsageExtension KeyUsages   0     usageEx KeyUsages    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags CrlSign   0      usageEx KeyUsages  amp  X509KeyUsageFlags CrlSign     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DataEncipherment   0      usageEx KeyUsages  amp  X509KeyUsageFlags DataEncipherment     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DecipherOnly   0      usageEx KeyUsages  amp  X509KeyUsageFlags DecipherOnly     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags DigitalSignature   0      usageEx KeyUsages  amp  X509KeyUsageFlags DigitalSignature     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags EncipherOnly   0      usageEx KeyUsages  amp  X509KeyUsageFlags EncipherOnly     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyAgreement   0      usageEx KeyUsages  amp  X509KeyUsageFlags KeyAgreement     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyCertSign   0      usageEx KeyUsages  amp  X509KeyUsageFlags KeyCertSign     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags KeyEncipherment   0      usageEx KeyUsages  amp  X509KeyUsageFlags KeyEncipherment     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags None   0      usageEx KeyUsages  amp  X509KeyUsageFlags None     0    System Environment NewLine                   sb Append string Format  X509KeyUsageExtension KeyUsages X509KeyUsageFlags NonRepudiation   0      usageEx KeyUsages  amp  X509KeyUsageFlags NonRepudiation     0    System Environment NewLine                              X509SubjectKeyIdentifierExtension skIdEx   ext as X509SubjectKeyIdentifierExtension              if  null    skIdEx                                sb Append  -X509SubjectKeyIdentifierExtension-    System Environment NewLine                   sb Append string Format  X509Extension X509SubjectKeyIdentifierExtension Oid   0     skIdEx Oid    System Environment NewLine                   sb Append string Format  X509Extension X509SubjectKeyIdentifierExtension SubjectKeyIdentifier   0     skIdEx SubjectKeyIdentifier    System Environment NewLine                              sb Append string Format  --------X509ExtensionNumber End   0    x509ExtensionCount    System Environment NewLine                      private static void ShowX509Extensions StringBuilder sb  string cert2SubjectName  X509ExtensionCollection extColl                        int x509ExtensionCount   0              sb Append string Format  --------ShowX509Extensions Start  for  0    cert2SubjectName    System Environment NewLine               foreach  X509Extension ext in extColl                                ShowX509Extension sb    x509ExtensionCount  ext                              sb Append string Format  --------ShowX509Extensions End  for  0    cert2SubjectName    System Environment NewLine                      private static void ShowX509Certificate2 StringBuilder sb  X509Certificate2 cert2                        if  null    cert2                                sb Append string Format  X509Certificate2 SubjectName Name   0     cert2 SubjectName Name    System Environment NewLine                   sb Append string Format  X509Certificate2 Subject   0     cert2 Subject    System Environment NewLine                   sb Append string Format  X509Certificate2 Thumbprint   0     cert2 Thumbprint    System Environment NewLine                   sb Append string Format  X509Certificate2 HasPrivateKey   0     cert2 HasPrivateKey    System Environment NewLine                   sb Append string Format  X509Certificate2 Version   0     cert2 Version    System Environment NewLine                   sb Append string Format  X509Certificate2 NotBefore   0     cert2 NotBefore    System Environment NewLine                   sb Append string Format  X509Certificate2 NotAfter   0     cert2 NotAfter    System Environment NewLine                   sb Append string Format  X509Certificate2 PublicKey Key KeySize   0     cert2 PublicKey Key KeySize    System Environment NewLine                        List lt X509KeyUsageExtension gt  keyUsageExtensions   cert2 Extensions OfType lt X509KeyUsageExtension gt    ToList                        List lt X509Extension gt  extensions   cert2 Extensions OfType lt X509Extension gt    ToList                     ShowX509Extensions sb  cert2 Subject  cert2 Extensions                                    private static void ShowX509ChainElementCollection StringBuilder sb  X509ChainElementCollection ces                        int x509ChainElementCount   0              foreach  X509ChainElement ce in ces                                sb Append string Empty   System Environment NewLine                   sb Append string Format  ----X509ChainElementNumber  0      x509ChainElementCount    System Environment NewLine                   sb Append string Format  X509ChainElement Cert SubjectName Name   0     ce Certificate SubjectName Name    System Environment NewLine                   sb Append string Format  X509ChainElement Cert Issuer   0     ce Certificate Issuer    System Environment NewLine                   sb Append string Format  X509ChainElement Cert Thumbprint   0     ce Certificate Thumbprint    System Environment NewLine                   sb Append string Format  X509ChainElement Cert HasPrivateKey   0     ce Certificate HasPrivateKey    System Environment NewLine                    X509Certificate2 cert2   ce Certificate as X509Certificate2                  ShowX509Certificate2 sb  cert2                    ShowX509Extensions sb  cert2 Subject  ce Certificate Extensions                                    private static void ShowX509Certificate StringBuilder sb  X509Certificate cert                        sb Append  -----------------------------------------------    System Environment NewLine               sb Append string Format  Cert Subject   0     cert Subject    System Environment NewLine               sb Append string Format  Cert Issuer   0     cert Issuer    System Environment NewLine                sb Append string Format  Cert GetPublicKey   Length   0     cert GetPublicKey   Length    System Environment NewLine                X509Certificate2 cert2   cert as X509Certificate2              ShowX509Certificate2 sb  cert2

User · Answer

I finally found the answer  I haven t noted my source but it was from a search     While the code works in Windows XP  in Windows 7  you must add this at the beginning      using System Net  ServicePointManager Expect100Continue   true  ServicePointManager SecurityProtocol   SecurityProtocolType Tls12     Use SecurityProtocolType Ssl3 if needed for compatibility reasons   And now  it works perfectly     ADDENDUM  As mentioned by Robin French  if you are getting this problem while configuring PayPal  please note that they won t support SSL3 starting by December  3rd 2018  You ll need to use TLS  Here s Paypal page about it

User · Answer

Something the original answer didn t have   I added some more code to make it bullet proof   ServicePointManager Expect100Continue   true          ServicePointManager DefaultConnectionLimit   9999          ServicePointManager SecurityProtocol   SecurityProtocolType Tls   SecurityProtocolType Tls11   SecurityProtocolType Tls12   SecurityProtocolType Ssl3

User · Answer

This could be caused by a few things  most likely to least likely     The server s SSL certificate is untrusted by the client  Easiest check is to point a browser at the URL and see if you get an SSL lock icon  If you get a broken lock  icon  click on it to see what the issue is    Expired dates - get a new SSL certificate Name does not match - make sure that your URL uses the same server name as the certificate  Not signed by a trusted authority - buy a certificate from an authority such as Verisign  or add the certificate to the client s trusted certificate store  In test environments you could update your certificate validator to skip access checks  Don t do this in production   Server is requiring Client SSL certificate - in this case you would have to update your code to sign the request with a client certificate

User · Answer

This question can have many answers since it s about a generic error message   We ran into this issue on some of our servers  but not our development machines   After pulling out most of our hair  we found it was a Microsoft bug   https   support microsoft com en-us help 4458166 applications-that-rely-on-tls-1-2-strong-encryption-experience-connect  Essentially  MS assumes you want weaker encryption  but the OS is patched to only allow TLS 1 2  so you receive the dreaded  The request was aborted  Could not create SSL TLS secure channel    There are three fixes     1  Patch the OS with the proper update  http   www catalog update microsoft com Search aspx q kb4458166  2  Add a setting to your app config web config file   3  Add a registry setting that was already mentioned in another answer   All of these are mentioned in the knowledge base article I posted

User · Answer

The top-voted answer will probably be enough for most people  However  in some circumstances  you could continue getting a  Could not create SSL TLS secure channel  error even after forcing TLS 1 2  If so  you may want to consult this helpful article for additional troubleshooting steps  To summarize  independent of the TLS SSL version issue  the client and server must agree on a  cipher suite   During the  handshake  phase of the SSL connection  the client will list its supported cipher-suites for the server to check against its own list  But on some Windows machines  certain common cipher-suites may have been disabled  seemingly due to well-intentioned attempts to limit attack surface   decreasing the possibility of the client  amp  server agreeing on a cipher suite  If they cannot agree  then you may see  fatal alert code 40  in the event viewer and  Could not create SSL TLS secure channel  in your  NET program   The aforementioned article explains how to list all of a machine s potentially-supported cipher suites and enable additional cipher suites through the Windows Registry  To help check which cipher suites are enabled on the client  try visiting this diagnostic page in MSIE   Using System Net tracing may give more definitive results   To check which cipher suites are supported by the server  try this online tool  assuming that the server is Internet-accessible   It should go without saying that Registry edits must be done with caution  especially where networking is involved   Is your machine a remote-hosted VM  If you were to break networking  would the VM  be accessible at all    In my company s case  we enabled several additional  ECDHE ECDSA  suites via Registry edit  to fix an immediate problem and guard against future problems  But if you cannot  or will not  edit the Registry   then numerous workarounds  not necessarily pretty  come to mind  For example  your  NET program could delegate its SSL traffic to a separate Python program  which may itself work  for the same reason that Chrome requests may succeed where MSIE requests fail on an affected machine

User · Answer

From  sameerfair comment  quot For  Net v4 0 I noticed  setting the value of ServicePointManager SecurityProtocol to  SecurityProtocolType 3072 but before creating the HttpWebRequest object helped  quot  The above suggestion worked for me  Below are my code lines which are worked for me var securedwebserviceurl  quot https   somedomain com service quot   ServicePointManager Expect100Continue   true  ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3   SecurityProtocolType Tls12   SecurityProtocolType Tls   SecurityProtocolType Tls11     Skip validation of SSL TLS certificate ServicePointManager ServerCertificateValidationCallback   delegate   return true     var httpWebRequest    HttpWebRequest WebRequest Create securedwebserviceurl   httpWebRequest ContentType    quot application json quot   httpWebRequest Method    quot POST quot   httpWebRequest ProtocolVersion  HttpVersion Version10  var httpResponse    HttpWebResponse httpWebRequest GetResponse    using  var streamReader   new StreamReader httpResponse GetResponseStream       string responseFromServer   streamReader ReadToEnd

User · Answer

For  Net v4 0 I noticed  setting the value of ServicePointManager SecurityProtocol to  SecurityProtocolType 3072 but before creating the HttpWebRequest object helped

User · Answer

I was having this same issue and found this answer worked properly for me   The key is 3072  This link provides the details on the  3072  fix   ServicePointManager SecurityProtocol    SecurityProtocolType 3072   XmlReader r   XmlReader Create url   SyndicationFeed albums   SyndicationFeed Load r     In my case two feeds required the fix   https   www fbi gov feeds fbi-in-the-news atom xml https   www wired com feed category gear latest rss

User · Answer

I had this problem trying to hit https   ct mob0 com Styles Fun png  which is an image distributed by CloudFlare on its CDN that supports crazy stuff like SPDY and weird redirect SSL certs  Instead of specifying Ssl3 as in Simons answer I was able to fix it by going down to Tls12 like this  ServicePointManager SecurityProtocol   SecurityProtocolType Tls12  new WebClient   DownloadData  quot https   ct mob0 com Styles Fun png quot

User · Answer

none of this answer not working for me   the google chrome and postman work and handshake the server but ie and  net not working  in google chrome in security tab   connection show that encrypted and authenticated using ECDHE RSA with P-256 and AES 256 GCM cipher suite to handshake with the server     i install IIS Crypto and in cipher suites list on windows server 2012 R2 ican t find ECDHE RSA with P-256 and AES 256 GCM cipher suite  then i update windows to the last version but the problem not solve  finally after searches i understood that windows server 2012 R2 not support GSM correctly and update my server to windows server 2016 and my problem solved

User · Answer

If you don t want to  can t easily  or can t quickly patch your code  instead  you can force TLS 1 2 usage by your  NET code in the framework   This isn t my app  but it helped hotfix our older  NET 4 5 app  running on Server 2008r2  to work again with Paypal Payflow Gateway  They must have started forcing connections over to TLS 1 2 on the payflow gateway callbacks between 6 25 18 and 7 8 18   Details  https   github com TheLevelUp pos-tls-patcher Download  https   github com TheLevelUp pos-tls-patcher releases

User · Answer

As you can tell there are plenty of reasons this might happen  Thought I would add the cause I encountered       If you set the value of WebRequest Timeout to 0  this is the exception that is thrown  Below is the code I had     Except instead of a hard-coded 0 for the timeout value  I had a parameter which was inadvertently set to 0    WebRequest webRequest   WebRequest Create   https   myservice path    webRequest ContentType    text html   webRequest Method    POST   string body          byte   bytes   Encoding ASCII GetBytes body   webRequest ContentLength   bytes Length  var os   webRequest GetRequestStream    os Write bytes  0  bytes Length   os Close    webRequest Timeout   0    setting the timeout to 0 causes the request to fail WebResponse webResponse   webRequest GetResponse      Exception thrown here

User · Answer

I enabled logging using this code   http   blogs msdn com b dgorti archive 2005 09 18 471003 aspx  The log was in the bin debug folder  I was in Debug mode for my console app   You need to add the security protocol type as SSL 3  I received an algorithm mismatch in the log  Here is my new code              You must change the URL to point to your Web server          HttpWebRequest req    HttpWebRequest WebRequest Create url           req Method    GET           ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3               Skip validation of SSL TLS certificate         ServicePointManager ServerCertificateValidationCallback   delegate   return true               WebResponse respon   req GetResponse            Stream res   respon GetResponseStream             string ret               byte   buffer   new byte 1048           int read   0          while   read   res Read buffer  0  buffer Length    gt  0                        Console Write Encoding ASCII GetString buffer  0  read                ret    Encoding ASCII GetString buffer  0  read                     return ret

User · Answer

I ran into the same issue recently  My environment is running under  NET 4 6 1 with VB NET  That is how I fixed it   ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3 ServicePointManager ServerCertificateValidationCallback   New RemoteCertificateValidationCallback AddressOf util ValidateServerCertificate    and the util ValidateServerCertificate function is   Public Function ValidateServerCertificate ByVal sender As Object  ByVal certificate As X509Certificate  ByVal chain As X509Chain  ByVal sslPolicyErrors As SslPolicyErrors  As Boolean     Return True End Function

User · Answer

The issue for me was that I was trying to deploy on IIS as a web service  I installed the certificate on the server  but the user that runs IIS didn t have the correct permissions on the certificate   How to give ASP NET access to a private key in a certificate in the certificate store

User · Answer

quot The request was aborted  Could not create SSL TLS secure channel quot  exception can occur if the server is returning an HTTP 401 Unauthorized response to the HTTP request  You can determine if this is happening by turning on trace-level System Net logging for your client application  as described in this answer  Once that logging configuration is in place  run the application and reproduce the error  then look in the logging output for a line like this  System Net Information  0    9840  Connection 62912200 - Received status line  Version 1 1  StatusCode 401  StatusDescription Unauthorized   In my situation  I was failing to set a particular cookie that the server was expecting  leading to the server responding to the request with the 401 error  which in turn led to the  quot Could not create SSL TLS secure channel quot  exception

User · Answer

I had this issue uploading a video to Wistia via a command line app  Our system administrator resolved the issue by enabling additional cipher suites using IIScrypto that was listed in the SSL labs scan for upload wistia com  TLS DHE RSA WITH AES 128 GCM SHA256  0x9e    DH 2048 bits   FS    128 TLS DHE RSA WITH AES 256 GCM SHA384  0x9f    DH 2048 bits   FS    256

User · Answer

Define SecurityProtocol  as below This sorted the issue in my case ServicePointManager SecurityProtocol   SecurityProtocolType Tls12

User · Answer

One of the biggest causes of this issue is the active  NET Framework version  The  NET framework runtime version affects which security protocols are enabled by default  There doesn t seem to be any authoritative documentation on how it specifically works in different versions  but it seems the defaults are determined more or less as follows    NET Framework 4 5 and earlier - SSL 3 0  TLS 1 0  NET Framework 4 6 x - TLS 1 0  1 1  1 2  1 3  NET Framework 4 7  - System  OS  Defaults   For the older versions  your mileage may vary somewhat based on which  NET runtimes are installed on the system  For example  there could be a situation where you are using a very old framework and TLS 1 0 is not supported  or using 4 6 x and TLS 1 3 is not supported  Microsoft s documentation strongly advises using 4 7  and the system defaults   We recommend that you   Target  NET Framework 4 7 or later versions on your apps  Target  NET Framework 4 7 1 or later versions on your WCF apps  Do not specify the TLS version  Configure your code to let the OS decide on the TLS version  Perform a thorough code audit to verify you re not specifying a TLS or SSL version    For ASP NET sites  check the targetFramework version in your  lt httpRuntime gt  element  as this  when present  determines which runtime is actually used by your site   lt httpRuntime targetFramework  quot 4 5 quot    gt   Better   lt httpRuntime targetFramework  quot 4 7 quot    gt

User · Answer

Make sure the ServicePointManager settings are made before the HttpWebRequest is created  else it will not work  Works  ServicePointManager Expect100Continue   true  ServicePointManager SecurityProtocol   SecurityProtocolType Tls          SecurityProtocolType Tls11          SecurityProtocolType Tls12          SecurityProtocolType Ssl3   HttpWebRequest request    HttpWebRequest WebRequest Create  quot https   google com api  quot    Fails  HttpWebRequest request    HttpWebRequest WebRequest Create  quot https   google com api  quot    ServicePointManager Expect100Continue   true  ServicePointManager SecurityProtocol   SecurityProtocolType Tls          SecurityProtocolType Tls11          SecurityProtocolType Tls12          SecurityProtocolType Ssl3

User · Answer

The solution to this  in  NET 4 5 is  ServicePointManager SecurityProtocol   SecurityProtocolType Tls12    If you don   t have  NET 4 5 then use  ServicePointManager SecurityProtocol    SecurityProtocolType 3072

User · Answer

In my case I had this problem when a Windows service tried to connected to a web service  Looking in Windows events finally I found a error code      Event ID 36888  Schannel  is raised    The following fatal alert was generated  40  The internal error state is 808    Finally it was related with a Windows Hotfix  In my case  KB3172605 and KB3177186  The proposed solution in vmware forum was add a registry entry in windows  After adding the following registry all works fine       HKEY LOCAL MACHINE SYSTEM CurrentControlSet Control SecurityProviders SCHANNEL KeyExchangeAlgorithms Diffie-Hellman     ClientMinKeyBitLength  dword 00000200  Apparently it s related with a missing value in the https handshake in the client side   List your Windows HotFix   wmic qfe list   Solution Thread   https   communities vmware com message 2604912 2604912  Hope it s helps

User · Answer

I have struggled with this problem all day    When I created a new project with  NET 4 5 I finally got it to work    But if I downgraded to 4 0 I got the same problem again  and it was irreversable for that project  even when i tried to upgrade to 4 5 again    Strange no other error message but  The request was aborted  Could not create SSL TLS secure channel   came up for this error

User · Answer

System Net WebException  The request was aborted  Could not create   SSL TLS secure channel    In our case  we where using a software vendor so we didn t have access to modify the  NET code  Apparently  NET 4 won t use TLS v 1 2 unless there is a change    The fix for us was adding the SchUseStrongCrypto key to the registry  You can copy paste the below code into a text file with the  reg extension and execute it  It served as our  patch  to the problem   Windows Registry Editor Version 5 00   HKEY LOCAL MACHINE SOFTWARE Wow6432Node Microsoft  NETFramework v4 0 30319   SchUseStrongCrypto  dword 00000001   HKEY LOCAL MACHINE SOFTWARE Microsoft  NETFramework v4 0 30319   SchUseStrongCrypto  dword 00000001

User · Answer

Similar to an existing answer but in PowerShell   System Net ServicePointManager   SecurityProtocol      System Net SecurityProtocolType   Tls11 -bor   System Net SecurityProtocolType   Tls12 -bor       System Net SecurityProtocolType   Tls -bor    System Net SecurityProtocolType   Ssl3  Then calling Invoke-WebRequest should work  Got this from anonymous feedback  good suggestion  Simpler way to write this would be   System Net ServicePointManager   SecurityProtocol      quot Tls12 quot   quot Tls11 quot   quot Tls quot   quot Ssl3 quot    Found this fantastic and related post by Jaykul  Validating Self-Signed Certificates From  Net and PowerShell

User · Answer

In case that the client is a windows machine  a possible reason could be that the tls or ssl protocol required by the service is not activated   This can be set in      Control Panel -  Network and Internet -  Internet Options -  Advanced   Scroll settings down to  Security  and choose between     Use SSL 2 0 Use SSL 3 0 Use TLS 1 0 Use TLS 1 1 Use TLS 1 2

User · Answer

I have been getting  the same error on a  NET 4 5 2 Winform application on a Windows 2008 Server  I tried the following fix  ServicePointManager SecurityProtocol   SecurityProtocolType Tls1 SecurityProtocolType Tls11  SecurityProtocolType Tls12  But that didnt work and the number of occurences of the error were still there  As per one of the answers above  Is it mandatory to override the SchUseStrongCrypto key to the registry  Are there any side effects if i set this key  Windows Registry Editor Version 5 00  HKEY LOCAL MACHINE SOFTWARE Wow6432Node Microsoft  NETFramework v4 0 30319   quot SchUseStrongCrypto quot  dword 00000001  HKEY LOCAL MACHINE SOFTWARE Microsoft  NETFramework v4 0 30319   quot SchUseStrongCrypto quot  dword 00000001

User · Answer

Doing this helped me  System Net ServicePointManager SecurityProtocol   SecurityProtocolType Tls12

User · Answer

Another possibility is improper certificate importation on the box  Make sure to select encircled  check box  Initially I didn t do it  so code was either timing out or throwing same exception as private key could not be located

User · Answer

You can try to install a demo certificate  some ssl providers offers them for free for a month  to be sure if the problem is related to cert validity or not

User · Answer

This one is working for me in  MVC webclient public string DownloadSite string RefinedLink        try               Uri address   new Uri RefinedLink            ServicePointManager ServerCertificateValidationCallback   delegate   return true             ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3           System Net ServicePointManager SecurityProtocol   SecurityProtocolType Tls11   SecurityProtocolType Tls12           using  WebClient webClient   new WebClient                          var stream   webClient OpenRead address               using  StreamReader sr   new StreamReader stream                                 var page   sr ReadToEnd                     return page                                     catch  Exception e                log Error  quot DownloadSite - error Lin    quot    RefinedLink  e           return null

User · Answer

This was happening for me on just one site  and it turns out that it only had the RC4 cipher available  In a prior effort to harden the server  I had disabled the RC4 cipher  once I re-enabled this the issue was solved

User · Answer

This fixed for me  add Network Service to permissions  Right click on the certificate   All Tasks   Manage Private Keys      Add      Add  Network Service

User · Answer

The error is generic and there are many reasons why the SSL TLS negotiation may fail  The most common is an invalid or expired server certificate  and you took care of that by providing your own server certificate validation hook  but is not necessarily the only reason  The server may require mutual authentication  it may be configured with a suites of ciphers not supported by your client  it may have a time drift too big for the handshake to succeed and many more reasons    The best solution is to use the SChannel troubleshooting tools set  SChannel is the SSPI provider responsible for SSL and TLS and your client will use it for the handshake  Take a look at TLS SSL Tools and Settings   Also see How to enable Schannel event logging

[c#] The request was aborted: Could not create SSL/TLS secure channel

Examples related to c#

Examples related to asp.net

Examples related to ssl

Examples related to httpwebrequest