none
This site can't provide a secure connection xxxxxxxx uses an unsupported protocol - WCF self host RRS feed

  • Question

  • We have a WCF host service which exposes a [WebGet] method on localhost port 9200. We are trying to consume this from a javascript code. It was working with both IE11 and Chrome v65. After I upgraded to chrome v68 I started getting the below error

     

    "This site can’t provide a secure connection xxxxxxx uses an unsupported protocol.

    ERR_SSL_VERSION_OR_CIPHER_MISMATCH.Unsupported protocol

    The client and server don't support a common SSL protocol version or cipher suite."

     

    Any version of chrome above v68 gives the same error.

    I have pasted my c# code

     

    **Service Contract**

     

     

    [WebGet(UriTemplate = "hello", ResponseFormat = WebMessageFormat.Json)]
    [OperationContract]
    string HelloWorld();

     

    **appconfig**

     

           

    <configuration>        <startup>        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.1" />      </startup>      <system.serviceModel>        <services>          <service name="SelfHostRestService.Service" behaviorConfiguration="ServiceBehavior">            <endpoint address=""                      bindingConfiguration="restBinding"                      binding="webHttpBinding"                      contract="Contracts.IService"                      behaviorConfiguration="webBehavior"/>          </service>        
    </services>        
    <behaviors>          
    <serviceBehaviors>            
    <behavior name="ServiceBehavior">                   
    <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />                       
    <serviceDebug includeExceptionDetailInFaults="true" />              
    <dataContractSerializer maxItemsInObjectGraph="6553600" />              
    <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="40" maxConcurrentInstances="2147483647" />            </behavior>          
    </serviceBehaviors>          
    <endpointBehaviors>            
    <behavior name="webBehavior">              
    <webHttp />            
    </behavior>          
    </endpointBehaviors>        
    </behaviors>        
    <bindings>          
    <webHttpBinding>            
    <binding name="restBinding" crossDomainScriptAccessEnabled="true">              <security mode="Transport">                
    <transport clientCredentialType="None"/>              </security>            
    </binding>          
    </webHttpBinding>        
    </bindings>      
    </system.serviceModel>    
    </configuration>

     

    **Service Hosting**

     

       

    Uri netTcpAdddress = new Uri("https://Example.com:9200");
    ServiceHost wHostV2 = new ServiceHost(typeof(Service), netTcpAdddress);
    X509Certificate2 certificate = new X509Certificate2(System.Environment.CurrentDirectory + "\\" + "Example.pfx", "password");                    wHostV2.Credentials.ServiceCertificate.Certificate = certificate;
    wHostV2.Open();
    Console.WriteLine("Service is up and running");
    Console.WriteLine("Press enter to quit ");
    Console.ReadLine();
    wHostV2.Close();

     

    After my analysis, it looks like my service is running on only SSL & TLS 1.0. Below is my NMAP scan result

     

       

    9200/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    | ssl-enum-ciphers:
    |   SSLv3:
    |     ciphers:
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    |       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
    |       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
    |       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
    |     compressors:
    |       NULL
    |     cipher preference: server
    |     warnings:
    |       64-bit block cipher 3DES vulnerable to SWEET32 attack
    |       64-bit block cipher DES vulnerable to SWEET32 attack
    |       Broken cipher RC4 is deprecated by RFC 7465
    |       CBC-mode cipher in SSLv3 (CVE-2014-3566)
    |       Ciphersuite uses MD5 for message integrity
    |   TLSv1.0:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    |       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
    |       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
    |       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
    |     compressors:
    |       NULL
    |     cipher preference: server
    |     warnings:
    |       64-bit block cipher 3DES vulnerable to SWEET32 attack
    |       64-bit block cipher DES vulnerable to SWEET32 attack
    |       Broken cipher RC4 is deprecated by RFC 7465
    |       Ciphersuite uses MD5 for message integrity
    |_  least strength: C

     

    I tried to upgrade my .net framework to 4.7 as the below blog suggests but didnt work..

    https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.6.2-4.7

     

    Any help is appreciated.

    Wednesday, February 20, 2019 7:59 PM

All replies