none
Could not establish secure channel for SSL/TLS with authority 'tls1test.salesforce.com' RRS feed

  • Question

  • Hi

    The cloud based SalesForce product (http://www.salesforce.com/) is disabling support for the TLS 1.0 protocol in from April 2016.  However, they currently do and will continue to support TLS 1.1 and 1.2 .  They have released a test URL to access their SOAP web service which already has TLS 1.0 disabled, so people like myself can test that everything still works prior to the April deadline.

    It's all documented here https://help.salesforce.com/HTViewSolution?id=000221207&language=en_US

    I've tried updating our Test BizTalk environment to use this new SalesForce test URL, but I get then error below whenever BizTalk attempts to communicate with it.  I'm using BizTalk 2010 on a Windows 2008 R2 server, so it should support TLS 1.1 and TLS 1.2 .  The send port is WCF-BasicHttp and security mode Transport.  I thought BizTalk would just use the next support encryption protocol, but it seems like its tried TLS 1.0 and gone no further.  Is that what has happened here? any help would be greatly appreciated.

    Regards
    Colin.


    An error occurred while processing the message, refer to the details section for more information
    Message ID: {9A176042-F4DB-455A-9523-5219A9490F9B}
    Instance ID: {9B8FAC41-E36A-4569-B74F-EEE850954ECB}
    Error Description: System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'tls1test.salesforce.com'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
       at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
       at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
       at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
       at System.ServiceModel.Channels.ServiceChannel.EndRequest(IAsyncResult result)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at System.ServiceModel.Channels.IRequestChannel.EndRequest(IAsyncResult result)
       at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.RequestCallback(IAsyncResult result)


    • Edited by ColinCG Wednesday, November 4, 2015 2:41 PM gramma
    Wednesday, November 4, 2015 2:31 PM

Answers

  • Make sure the TLS version you need is enabled. See this MSDN article for details on how to enable it. Windows will use the highest TLS available on both ends out of the box. Let me know if you still have issues.
    • Edited by Mauricio Feijo Wednesday, November 4, 2015 6:32 PM
    • Proposed as answer by Mauricio Feijo Thursday, November 5, 2015 11:13 PM
    • Marked as answer by Angie Xu Monday, November 16, 2015 2:08 AM
    Wednesday, November 4, 2015 6:31 PM

All replies

  • Make sure the TLS version you need is enabled. See this MSDN article for details on how to enable it. Windows will use the highest TLS available on both ends out of the box. Let me know if you still have issues.
    • Edited by Mauricio Feijo Wednesday, November 4, 2015 6:32 PM
    • Proposed as answer by Mauricio Feijo Thursday, November 5, 2015 11:13 PM
    • Marked as answer by Angie Xu Monday, November 16, 2015 2:08 AM
    Wednesday, November 4, 2015 6:31 PM
  • You can use openssl  (https://www.openssl.org/community/binaries.html) to troubleshoot a https connnections.

    For example you can test with the following command, if you can establish a TLS 1.2 connection with salesforce:

    openssl s_client -connect tls1test.salesforce.com:443 -tls1_2




    Wednesday, November 4, 2015 8:34 PM
  • Hi,

    We faced a similar issue where our Server was supporting SSL 3.0 and we had to enable TLS 1.0

    After identifying that the specific TLS version was not supported by our server we modified the registry at the following location. 

    hkey_local_machine-->System-->CurrentControlSet-->Control-->SecurityProvides-->SChannels-->Protocols-->TLS 1.0

    As your server is also a Client in this case, so you will simply enable the Client Flag.

    Please note that the server will always pick the highest enabled protocol in the registry. So if in my case there was TLS 1.1 enabled then I had to disable it to make sure that TLS 1.0 is picked up.

    Just restart the host instance after doing the change.

    Thursday, November 5, 2015 8:59 AM
  • Hi Mauricio

    I've followed your advice and created those keys in the registry, rebooted, but still get the same error.  Below is a screenshot of my entries on the BizTalk Server.  I've also create a simple C# windows forms app to try the call the web service.  I run it on this server and get the same 'Could not create SSL/TLS secure channel' error.  Do you have any other suggestions?

    Friday, November 6, 2015 5:14 PM
  • Hi Colin,

    Thank you for posting in MSDN forum.

    I suspect TLS 1.1/TLS 1.2 is enabled. I would suggest please use wfetch that extremely helpful in diagnosing the issue.

    And also please have a look into below article that will help you to enable the TLS 1.1, TLS 1.2,

    How to Enable TLS 1.1, TLS 1.2 on Windows Server 2008 R2 and IIS 7.5


    Thanks, If my reply is helpful please mark as answer or vote as helpful.

    Friday, November 6, 2015 9:29 PM
    Moderator
  • Just posting back on this one in case its of any help to someone else.  After a lot of investigation and testing I finally have a solution to this.  Adding the Client and Server settings in the registry to enable TLS 1.1 and 1.2 was probably required, but this alone did not resolve the problem.

    My understanding is that BizTalk 2010 is based upon .Net 4.0 and that framework version only supports up to TLS 1.0 .  Using Wireshark I've confirmed that BizTalk attempts to establish a connection to the Salesforce TLS 1.1/1.2 enabled site using TLS 1.0 and so fails as the site does not accept TLS 1.0 connections.

    .Net 4.5 introduces support for TLS 1.1 and 1.2, but BizTalk is limited to .Net 4.0, so you cant use any explicit settings to make BizTalk use later TLS versions, such as SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12.

    However, you can still install .Net 4.5 on the BizTalk 2010 box which essentially updates the .Net 4.0 system.dll, adding support for the later TLS versions.  I did this but Wireshark was still showing BizTalk defaulting to TLS 1.0 and this is the case because .Net 4.0 (and 4.5) default to SecurityProtocolType.Tls | SecurityProtocolType.Ssl3, which is TLS 1.0 .

    So the last change I made was to add these registry keys to change this default behaviour so the .Net would use the latest TLS version:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001

    Once the server was rebooted, Wireshark showed BizTalk talking to Salesforce using TLS 1.2!


    • Edited by ColinCG Thursday, December 31, 2015 12:58 PM formatting
    Thursday, December 31, 2015 12:57 PM
  • Hello Colin,

    I am in the same scenario where we need to upgrade our TLS version to 1.1 and above due to the salesforce upgrade. We use dynamic send port with basichttp and security mode as transport. I keep geting the exact same error you mentioned, I have tried adding all the registry entries, .net 4.5 was there already on our biztalk server which is a windows 2008 R2 server...  Still no luck.

    Any suggestions are really appreciated.

    Monday, January 18, 2016 5:38 PM
  • Hello,

    Could you confirm the following:

    • You have Service Pack 1 installed for W2k8 R2
    • You are using BTS2010
    • You have TLS enabled using the registry setting at the bottom of this message, aswell as the two SchUseStrongCrypto entries above
    • You have rebooted
    • You have browsed successfully to https://tls1test.salesforce.com/s/ from IE on the server

    Firstly I would suggest you install wireshark on your development\staging server and look for the Client Hello message.  It will tell you there what TLS version it is attempting to use.

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
    Tuesday, January 19, 2016 5:49 PM
  • Hi Colin,

    Sorry I was away for a while.

    UPDATE:Modifying those registry settings did not work, I've chosen the safer path of applying the fix at the code level in BizTalk to support TLS 1.2 and it worked. But that code fix needed .NET framework 4.5 which we are planning to install in production.

    Does any body have faced any issues in upgrading to 4.5 .NET FW on a production box that had biztalk 2010 and .net FW 4.0 ?  Was everything good after 4.5 framework upgrade?

    Monday, February 8, 2016 4:56 PM
  • Hello All,

    I would like to keep you informed that as of now TLS 1.2 is not supported with any existing BizTalk version, not with the latest 2016 release as well. We are checking on this request to see if we can support TLS 1.2 in next BizTalk release.

    Thank you,

    Raj


    • Edited by Rajshekher-BT Friday, July 7, 2017 10:56 PM
    • Proposed as answer by Malisk Thursday, September 28, 2017 10:40 PM
    Friday, July 7, 2017 10:56 PM
  • Raj,

    Are you sure you are correct? We just had a case with Microsoft BizTalk Support where the engineer verified that it is supported to use TLS 1.2 with the WCF-BasicHttp adapter.

    In that case we were using BizTalk 2016, Windows Server 2016 and had create the following keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
       "SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
       "SchUseStrongCrypto"=dword:00000001

    to make it work.

    The engineer let us know that it was not supported to disable TLS 1.0 though.

    Erik


    • Edited by ErikMogensen Monday, September 18, 2017 3:07 PM Formatting
    Monday, September 18, 2017 12:37 PM
  • Sorry for confusion of BizTalk setup/config and web-based adapters. BizTalk core engine needs TLS 1.0 to operate the host so you cannot disable TLS in registry. However you can have both TLS 1.0 and TLS 1.2 enabled and let .NET/WCF-based adapters prefer to use TLS 1.2 with SchUseStrongCrypto=1 registry key. 

    Some web servers may try to negotiate, while others fail on first attempt. In case you have different TLS settings in different WCF http end points, you can use WCF custom behaviour to set. You should then keep all TLS 1.0 in one host and all TLS 1.2 integration end points in another host using.  

    1. Make sure to keep both TLS 1.0 and TLS 1.2 enabled
    2. Don’t set SchUseStrongCrypto registry key.
    3. The default behavior at this point will TLS 1.0 (with fallback to SSL3) so for any WCF send port that needs TLS 1.2, set the System.Net.ServicePointManager.SecurityProtocol property using a custom endpoint behavior within a WCF-Custom send port. 
    If you want to allow fallback logic, you can OR it as follows:
    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Ssl3;

    It is probably best to have one custom behaviour for TLS 1.0 and one for TLS 1.2 so you are explicit and know what you use and it fails when something changes. Make sure to not mix the different WCF behaviours in the same host as ServicePointManager is a global process setting. 

    Another alternative if you have many BizTalk servers could be to use 2 servers for TLS 1.0 ports and 2 servers for TLS 1.2 ports. 

    • Proposed as answer by Colin Dijkgraaf Wednesday, October 18, 2017 8:14 PM
    Tuesday, September 19, 2017 6:48 AM
  • What do you mean by next release? The next service pack, cumulative update, etc.?
    Thursday, September 28, 2017 10:41 PM
  • Hi BizTalk Guy,

    Modifying those registry settings are not working for me as well.

    What was the fix at the code level you did in BizTalk to support TLS 1.2 which worked. Can you please elaborate this?

    Regards,

    Vikingsss


    • Edited by vikingss Saturday, August 3, 2019 11:08 AM
    Saturday, August 3, 2019 11:08 AM
  • See this blog post how to change the Salesforce OAuth Behaviour to include setting TLS

    Salesforce disabling TLS 1.0 – How to get it working for API calls via BizTalk

    Saturday, August 3, 2019 10:52 PM