Could not create SSL TLS secure channel despite setting ServerCertificateValidationCallback

Question

I m trying to establish SSL TLS connection to test server with self-signed certificate  Communication through unsecure channel worked without issues   Here is my sample code  which I ve written based on this solutions  Allowing Untrusted SSL Certificates with HttpClient C  Ignore certificate errors   NET client connecting to ssl Web API  ServicePointManager ServerCertificateValidationCallback     sender  cert  chain  sslPolicyErrors    gt  true   var c   new HttpClient    var r   c GetAsync  https   10 3 0 1 8443 rest v1   Result  if  r IsSuccessStatusCode        Log AddMessage r Content Get lt string gt        else       Log AddMessage string Format   0    1      int r StatusCode  r ReasonPhrase        also tried this   var handler   new WebRequestHandler    handler ServerCertificateValidationCallback   delegate   return true     var c   new HttpClient handler         and this  ServicePointManager ServerCertificateValidationCallback   delegate   return true       but each time I ve got an exception   InnerException  System Net Http HttpRequestException     HResult -2146233088     message An error occurred while sending the request     HResult -2146233088    IsTransient false    Message An error occurred while sending the request     InnerException  System Net WebException          HResult -2146233079          message The request was aborted  Could not create SSL TLS secure channel          HResult -2146233079         IsTransient false         Message The request was aborted  Could not create SSL TLS secure channel          Source System         StackTrace               at System Net HttpWebRequest EndGetResponse IAsyncResult asyncResult               at System Net Http HttpClientHandler GetResponseCallback IAsyncResult ar          InnerException     What do I do wrong  Why I can t connect to this server  which has invalid-self-signed certificate

User · Accepted Answer

You are doing it right with ServerCertificateValidationCallback. This is not the problem you are facing. The problem you are facing is most likely the version of SSL/TLS protocol.

For example, if your server offers only SSLv3 and TLSv10 and your client needs TLSv12 then you will receive this error message. What you need to do is to make sure that both client and server have a common protocol version supported.

When I need a client that is able to connect to as many servers as possible (rather than to be as secure as possible) I use this (together with setting the validation callback):

  ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

User · Answer

We have been solving the same problem just today  and all you need to do is to increase the runtime version of  NET  4 5 2 didn t work for us with the above problem  while 4 6 1 was OK  If you need to keep the  NET version  then set  ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3   SecurityProtocolType Tls   SecurityProtocolType Tls11   SecurityProtocolType Tls12

User · Answer

Just as a follow up for anyone still running into this     I had added the ServicePointManager SecurityProfile options as noted in the solution   ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3   SecurityProtocolType Tls   SecurityProtocolType Tls11   SecurityProtocolType Tls12    And yet I continued to get the same    The request was aborted  Could not create SSL TLS secure channel    error   I was attempting to connect to some older voice servers with HTTPS SOAP API interfaces  i e  voice mail  IP phone systems etc    installed years ago    These only support SSL3 connections as they were last updated years ago   One would think including SSl3 in the list of SecurityProtocols would do the trick here  but it didn   t   The only way I could force the connection was to include ONLY the Ssl3 protocol and no others   ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3    Then the connection goes through     seems like a bug to me but this didn   t start throwing errors until recently on tools I provide for these servers that have been out there for years     I believe Microsoft has started rolling out system changes that have updated this behavior to force TLS connections unless there is no other alternative    Anyway     if you   re still running into this against some old sites servers  it   s worth giving it a try

User · Answer

move this line  ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3   SecurityProtocolType Tls   SecurityProtocolType Tls11   SecurityProtocolType Tls12   Before this line  HttpWebRequest request    HttpWebRequest WebRequest Create uri    Original post  KB4344167 security update breaks TLS Code

User · Answer

In my case TLS1 2 was enabled both on client and server but the server was using MD5 while client disabled it  So  test both client and server on http   ssllabs com or test using openssl s client to see what s happening  Also  check the selected cipher using Wireshark

User · Answer

If you are using a new domain name  and you have done all the above and you are still getting the same error  check to see if you clear the DNS cache on your PC  Clear your DNS for more details   Windows   8  To clear your DNS cache if you use Windows 8  perform the following steps   On your keyboard  press Win X to open the WinX Menu   Right-click Command Prompt and select Run as Administrator   Run the following command   ipconfig  flushdns  If the command succeeds  the system returns the following message   Windows IP configuration successfully flushed the DNS Resolver Cache   Windows   7  To clear your DNS cache if you use Windows 7  perform the following steps   Click Start   Enter cmd in the Start menu search text box   Right-click Command Prompt and select Run as Administrator   Run the following command   ipconfig  flushdns  If the command succeeds  the system returns the following message  Windows IP configuration successfully flushed the DNS Resolver Cache

User · Answer

I came across this thread because I also had the error Could not create SSL TLS secure channel   In my case  I was attempting to access a Siebel configuration REST API from PowerShell using Invoke-RestMethod  and none of the suggestions above helped     Eventually I stumbled across the cause of my problem  the server I was contacting required client certificate authentication   To make the calls work  I had to provide the client certificate  including the private key  with the -Certificate parameter    Pwd    certificatepassword   Pfx   New-Object -TypeName  System Security Cryptography X509Certificates X509Certificate2   Pfx Import  clientcert p12    Pwd   Exportable PersistKeySet   Invoke-RestMethod -Uri  https   your rest host api   -Certificate  Pfx -OtherParam       Hopefully my experience might help someone else who has my particular flavour of this problem

User · Answer

TLS 1 0 and 1 1 are now End of Life   A package on our Amazon web server updated  and we started getting this error   The answer is above  but you shouldn t use tls or tls11 anymore   Specifically for ASP Net  add this to one of your startup methods           public Startup                         ServicePointManager SecurityProtocol   SecurityProtocolType Ssl3   SecurityProtocolType Tls12    but I m sure that something like this will work in many other cases

[c#] Could not create SSL/TLS secure channel, despite setting ServerCertificateValidationCallback

Examples related to c#

Examples related to ssl

Examples related to https