none
Any Client SSL connection: Could not create SSL/TLS secure channel RRS feed

  • Question

  • Hello All,

    I am developing on Windows 2012 R2.

    .NET 4.5. As of the latest Microsoft Patch round, ANY client SSL connection attempt through any technology is regularry refusing to create SSL client connections to any 3rd party.

    For instance, we have third party address check services, we access it through either HttpClient or WebRequest.CreateHttp (which obviously, are having their own code base)

    In addition, we have disabled SSL3/SSL2/PCT 1.0 using the recommended practise against e.g. the heart bleed ssl attack. (This is well documented, no issues there)

    My suspicion for the behavior of the BUG:

    *something is leaking* inside the .NET framework or even in Windows (schannel.dll?) concerning encryption and/or the SSL negotition process, so after say, 20 or up to 50 succesfull requests, NO more request are being allowed. If we reset the IIS 8 application pool, within a few minutes, the SSL connections are blocked again!

    In addition, the Windows EventLog shows this error from Schannel:

    "

    A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40."



    So, do you have any ideas what we could do to fix this or workaround?

    Thank you for co-operating to solve this issue with me!


    Sunday, May 3, 2015 7:42 AM

Answers

  • I found the reason for the TLS/SSL problem.

    Somewhere in the assembly, which contains many client endpoints for B2B connections, there was a ServiceManager.SecurityProtocol = SecurityProtocolType.Ssl3 setting.

    It seems that this setting is global (or better, appdomain-scope). So, some partners, had Ssl3 disabled, but our .NET app, because of this setting, even not a 'bootstrap-level' cause subsequent Ssl connetions to connect ussing Ssl3 while the B2B partner explicitly wanted TLS.

    After removing the setting SecurityProtocolType.Ssl3 the SSl problems were gone. However, we still need a 'hack' for the assembly has not been split up into separate AppDomains. (One B2B partner, requires, indeed Ssl3!)

    • Marked as answer by Egbert Nierop Monday, May 18, 2015 12:13 PM
    Monday, May 18, 2015 12:12 PM

All replies

  • Hi Egbert Nierop,

    >>Could not create SSL/TLS secure channel

    Please try to add the following code to see if it helps:

    ServicePointManager.Expect100Continue = true;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

    For more information, please try to refer to:
    https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.expect100continue.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Proposed as answer by accado liao Monday, May 4, 2015 6:28 AM
    • Unproposed as answer by Egbert Nierop Thursday, May 7, 2015 7:53 AM
    Monday, May 4, 2015 6:28 AM
    Moderator
  • Hi Amy,

    SSL3 is deprecated (poodle attack) and should not be used at all. So I don't see how this could solve the issue. In addition, it happens with ALL TLS connections, so, Expect100Continue should at least not be needed with some of the connections.

    Regards

    Tuesday, May 5, 2015 8:19 PM
  • Please to all, are we the only ones with this Windows issue? The code is really not that huge or having faults... (I think)

    Both samples, async and sync code, have the same TLS/SSL problems.

    (Sorry it is VB.NET, not my choice)

    Using client As New HttpClient()
     client.BaseAddress = Me.ServiceUri
     client.Timeout = TimeSpan.FromMilliseconds(TimeOutms)
     client.DefaultRequestHeaders.Accept.Clear()
     client.DefaultRequestHeaders.Accept.Add(New MediaTypeWithQualityHeaderValue("application/json"))
     client.DefaultRequestHeaders.Authorization = New AuthenticationHeaderValue(
      "Basic",
      Convert.ToBase64String(ASCIIEncoding.ASCII.GetBytes(String.Format("{0}:{1}", username, password))))

     Dim result = Await client.GetAsync(String.Format("{0}/{1}", postalCode, houseNumber))
     If result.IsSuccessStatusCode Then
      Dim value = Await result.Content.ReadAsAsync(Of PostcodeNLAddressProviderAddress)()
      If value IsNot Nothing Then
       Return New ServiceClasses.Classes.AddressBase(
        value.street,
        value.houseNumber,
        Nothing,
        value.postcode,
          DataFormatter.FormatCity(value.city))
      End If
     End If

    Dim request = WebRequest.CreateHttp(New Uri(Me.ServiceUri, String.Format("{0}/{1}", postalCode.Replace(" ", ""), houseNumber, HttpUtility.UrlEncode(toevoeging))))

    request.Accept = "application/json; charset=UTF-8"
    request.Method = "GET"
    request.Timeout = CType(TimeOutms, Integer)
    request.Headers.SetAuthentication(username, password)
    'request.Credentials = New NetworkCredential(username, password)
    'request.PreAuthenticate = True
    request.UserAgent = SearchdogDataContext.UserAgent
    Dim response = DirectCast(request.GetResponse(), HttpWebResponse)

    Using reader = New StreamReader(response.GetResponseStream())
     Dim newton = New JsonSerializer()
     newton.NullValueHandling = NullValueHandling.Ignore

     Dim value = DirectCast(newton.Deserialize(reader, GetType(PostcodeNLAddressProviderAddress)), PostcodeNLAddressProviderAddress)
     
     Return New ServiceClasses.Classes.AddressBase(
        value.street,
        value.houseNumber,
        Nothing,
        value.postcode,
          DataFormatter.FormatCity(value.city))
    End Using


    Thursday, May 7, 2015 7:38 AM
  • Hi Egbert Nierop,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Wednesday, May 13, 2015 4:23 AM
    Moderator
  • I found the reason for the TLS/SSL problem.

    Somewhere in the assembly, which contains many client endpoints for B2B connections, there was a ServiceManager.SecurityProtocol = SecurityProtocolType.Ssl3 setting.

    It seems that this setting is global (or better, appdomain-scope). So, some partners, had Ssl3 disabled, but our .NET app, because of this setting, even not a 'bootstrap-level' cause subsequent Ssl connetions to connect ussing Ssl3 while the B2B partner explicitly wanted TLS.

    After removing the setting SecurityProtocolType.Ssl3 the SSl problems were gone. However, we still need a 'hack' for the assembly has not been split up into separate AppDomains. (One B2B partner, requires, indeed Ssl3!)

    • Marked as answer by Egbert Nierop Monday, May 18, 2015 12:13 PM
    Monday, May 18, 2015 12:12 PM