Reputation: 4144
The request was aborted: Could not create SSL/TLS secure channel
My customer has informed my of issues with their SSL and Internet Explorer. They said they get trust issues when accessing the URL.
I am accessing JSON through HTTPS. The website sits on one server and I am using the console app on my local machine. I am trying to bypass the SSL Cert, however, my code still fails.
Can I alter HttpWebRequest to fix this problem?
I get this error using this code:
// You must change the URL to point to your Web server.
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "GET";
req.AllowAutoRedirect = true;
// allows for validation of SSL conversations
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
WebResponse respon = req.GetResponse();
Stream res = respon.GetResponseStream();
string ret = "";
byte[] buffer = new byte[1048];
int read = 0;
while ((read = res.Read(buffer, 0, buffer.Length)) > 0)
{
//Console.Write(Encoding.ASCII.GetString(buffer, 0, read));
ret += Encoding.ASCII.GetString(buffer, 0, read);
}
return ret;
The request was aborted: Could not create SSL/TLS secure channel
Upvotes: 84
Views: 219594
Answers (15)
Reputation: 123
From @sameerfair's comment:
For .NET v4.0 I noticed, setting the value of ServicePointManager.SecurityProtocol to (SecurityProtocolType)3072 but before creating the HttpWebRequest object helped.
The above suggestion worked for me. Below are my code lines which are worked for me
var securedwebserviceurl="https://somedomain.com/service";
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
// Skip validation of SSL/TLS certificate
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
var httpWebRequest = (HttpWebRequest)WebRequest.Create(securedwebserviceurl);
httpWebRequest.ContentType = "application/json";
httpWebRequest.Method = "POST";
httpWebRequest.ProtocolVersion= HttpVersion.Version10;
var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();
using (var streamReader = new StreamReader(httpResponse.GetResponseStream())) {
string responseFromServer = streamReader.ReadToEnd();
}
Upvotes: 2
Reputation: 1722
This error showed up for me as a symptom of AppLocker blocking a PowerShell script. As soon as I ran it from a whitelisted location, no more issues.
Upvotes: 0
Reputation: 101
It can be useful when the server where your application is hosted supports only Tls 1.2. In this case you'll need remove old insecure protocols, and keep only Tls 1.2:
// Remove insecure protocols (SSL3, TLS 1.0, TLS 1.1)
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls11;
// Add TLS 1.2
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
Upvotes: 0
Reputation: 1461
Unfortunately none of the answers mentioned above worked for me. Below listed code did a wonder for me. In case if it helps someone.
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;
And this must set before creating the HttpWebRequest.
Upvotes: 2
Reputation: 66
This worked for me :
ServicePointManager.ServerCertificateValidationCallback = (snder, cert, chain, error) => true;
if it doesn't work, it may work with other solutions like this :
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = (snder, cert, chain, error) => true;
Upvotes: 1
Reputation: 2622
This worked for me :
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;
Upvotes: 0
Reputation: 689
Similar to an existing answer but in PowerShell:
[System.Net.ServicePointManager]::SecurityProtocol = `
[System.Net.SecurityProtocolType]::Tls11 -bor
[System.Net.SecurityProtocolType]::Tls12 -bor `
[System.Net.SecurityProtocolType]::Tls -bor `
[System.Net.SecurityProtocolType]::Ssl3
Then calling Invoke-WebRequest should work.
Got this from anonymous feedback, good suggestion: Simpler way to write this would be:
[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls","Ssl3")
Found this fantastic and related post by Jaykul: Validating Self-Signed Certificates From .Net and PowerShell
Upvotes: 15
Reputation: 1598
Define SecurityProtocol as below.This sorted the issue in my case
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Upvotes: 1
Reputation: 426
For .Net v4.0 I noticed, setting the value of ServicePointManager.SecurityProtocol to (SecurityProtocolType)3072 but before creating the HttpWebRequest object helped.
Upvotes: 7
Reputation: 139
Also received "Could not create SSL/TLS secure channel" error. This is what worked for me. System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;
Upvotes: 4
Reputation: 4144
I enabled logging using this code:
http://blogs.msdn.com/b/dgorti/archive/2005/09/18/471003.aspx
The log was in the bin/debug folder (I was in Debug mode for my console app). You need to add the security protocol type as SSL 3
I received an algorithm mismatch in the log. Here is my new code:
// You must change the URL to point to your Web server.
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "GET";
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
// Skip validation of SSL/TLS certificate
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
WebResponse respon = req.GetResponse();
Stream res = respon.GetResponseStream();
string ret = "";
byte[] buffer = new byte[1048];
int read = 0;
while ((read = res.Read(buffer, 0, buffer.Length)) > 0)
{
Console.Write(Encoding.ASCII.GetString(buffer, 0, read));
ret += Encoding.ASCII.GetString(buffer, 0, read);
}
return ret;
Upvotes: 29
Reputation: 27904
I found the type of certificate also comes into play.
I had a cert that was:
(the below output was in mmc , certificate properties )
Digital Signature, Key Encipherment (a0)
(the below output was from my C# code below)
X509Extension.X509KeyUsageExtension.KeyUsages='KeyEncipherment, DigitalSignature' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.CrlSign='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DataEncipherment='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DecipherOnly='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DigitalSignature='True' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.EncipherOnly='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyAgreement='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyCertSign='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyEncipherment='True' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.None='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.NonRepudiation='False'
the above did not work.
===============================
Then another certificate with :
(the below output was in mmc , certificate properties )
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
(the below output was from my C# code below)
X509Extension.X509KeyUsageExtension.KeyUsages='CrlSign, KeyCertSign' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.CrlSign='True' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DataEncipherment='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DecipherOnly='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DigitalSignature='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.EncipherOnly='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyAgreement='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyCertSign='True' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyEncipherment='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.None='False' X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.NonRepudiation='False'
and it did work
The below code will allow you to inspect your client certificate
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace MyNamespace
{
public static class SecurityShower
{
public static void ShowHttpWebRequest(System.Net.HttpWebRequest hwr)
{
StringBuilder sb = new StringBuilder();
if (null != hwr)
{
sb.Append("-----------------------------------------------HttpWebRequest" + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.Address.AbsolutePath='{0}'", hwr.Address.AbsolutePath) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.Address.AbsoluteUri='{0}'", hwr.Address.AbsoluteUri) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.Address='{0}'", hwr.Address) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.RequestUri.AbsolutePath='{0}'", hwr.RequestUri.AbsolutePath) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.RequestUri.AbsoluteUri='{0}'", hwr.RequestUri.AbsoluteUri) + System.Environment.NewLine);
sb.Append(string.Format("HttpWebRequest.RequestUri='{0}'", hwr.RequestUri) + System.Environment.NewLine);
foreach (X509Certificate cert in hwr.ClientCertificates)
{
sb.Append("START*************************************************");
ShowX509Certificate(sb, cert);
sb.Append("END*************************************************");
}
}
string result = sb.ToString();
Console.WriteLine(result);
}
public static void ShowCertAndChain(X509Certificate2 cert)
{
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
////chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreCtlSignerRevocationUnknown &&
////X509VerificationFlags.IgnoreRootRevocationUnknown &&
////X509VerificationFlags.IgnoreEndRevocationUnknown &&
////X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown &&
////X509VerificationFlags.IgnoreCtlNotTimeValid;
chain.Build(cert);
ShowCertAndChain(cert, chain);
}
public static void ShowCertAndChain(X509Certificate cert, X509Chain chain)
{
StringBuilder sb = new StringBuilder();
if (null != cert)
{
ShowX509Certificate(sb, cert);
}
if (null != chain)
{
sb.Append("-X509Chain(Start)-" + System.Environment.NewLine);
////sb.Append(string.Format("Cert.ChainStatus='{0}'", string.Join(",", chain.ChainStatus.ToList())) + System.Environment.NewLine);
foreach (X509ChainStatus cstat in chain.ChainStatus)
{
sb.Append(string.Format("X509ChainStatus::'{0}'-'{1}'", cstat.Status.ToString(), cstat.StatusInformation) + System.Environment.NewLine);
}
X509ChainElementCollection ces = chain.ChainElements;
ShowX509ChainElementCollection(sb, ces);
sb.Append("-X509Chain(End)-" + System.Environment.NewLine);
}
string result = sb.ToString();
Console.WriteLine(result);
}
private static void ShowX509Extension(StringBuilder sb, int x509ExtensionCount, X509Extension ext)
{
sb.Append(string.Empty + System.Environment.NewLine);
sb.Append(string.Format("--------X509ExtensionNumber(Start):{0}", x509ExtensionCount) + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.Critical='{0}'", ext.Critical) + System.Environment.NewLine);
AsnEncodedData asndata = new AsnEncodedData(ext.Oid, ext.RawData);
sb.Append(string.Format("Extension type: {0}", ext.Oid.FriendlyName) + System.Environment.NewLine);
sb.Append(string.Format("Oid value: {0}", asndata.Oid.Value) + System.Environment.NewLine);
sb.Append(string.Format("Raw data length: {0} {1}", asndata.RawData.Length, Environment.NewLine) + System.Environment.NewLine);
sb.Append(asndata.Format(true) + System.Environment.NewLine);
X509BasicConstraintsExtension basicEx = ext as X509BasicConstraintsExtension;
if (null != basicEx)
{
sb.Append("-X509BasicConstraintsExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509BasicConstraintsExtension.CertificateAuthority='{0}'", basicEx.CertificateAuthority) + System.Environment.NewLine);
}
X509EnhancedKeyUsageExtension keyEx = ext as X509EnhancedKeyUsageExtension;
if (null != keyEx)
{
sb.Append("-X509EnhancedKeyUsageExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509EnhancedKeyUsageExtension.EnhancedKeyUsages='{0}'", keyEx.EnhancedKeyUsages) + System.Environment.NewLine);
foreach (Oid oi in keyEx.EnhancedKeyUsages)
{
sb.Append(string.Format("------------EnhancedKeyUsages.Oid.FriendlyName='{0}'", oi.FriendlyName) + System.Environment.NewLine);
sb.Append(string.Format("------------EnhancedKeyUsages.Oid.Value='{0}'", oi.Value) + System.Environment.NewLine);
}
}
X509KeyUsageExtension usageEx = ext as X509KeyUsageExtension;
if (null != usageEx)
{
sb.Append("-X509KeyUsageExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509KeyUsageExtension.KeyUsages='{0}'", usageEx.KeyUsages) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.CrlSign='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.CrlSign) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DataEncipherment='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.DataEncipherment) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DecipherOnly='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.DecipherOnly) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.DigitalSignature='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.EncipherOnly='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.EncipherOnly) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyAgreement='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.KeyAgreement) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyCertSign='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.KeyCertSign) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.KeyEncipherment='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.KeyEncipherment) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.None='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.None) != 0) + System.Environment.NewLine);
sb.Append(string.Format("X509KeyUsageExtension.KeyUsages.X509KeyUsageFlags.NonRepudiation='{0}'", (usageEx.KeyUsages & X509KeyUsageFlags.NonRepudiation) != 0) + System.Environment.NewLine);
}
X509SubjectKeyIdentifierExtension skIdEx = ext as X509SubjectKeyIdentifierExtension;
if (null != skIdEx)
{
sb.Append("-X509SubjectKeyIdentifierExtension-" + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509SubjectKeyIdentifierExtension.Oid='{0}'", skIdEx.Oid) + System.Environment.NewLine);
sb.Append(string.Format("X509Extension.X509SubjectKeyIdentifierExtension.SubjectKeyIdentifier='{0}'", skIdEx.SubjectKeyIdentifier) + System.Environment.NewLine);
}
sb.Append(string.Format("--------X509ExtensionNumber(End):{0}", x509ExtensionCount) + System.Environment.NewLine);
}
private static void ShowX509Extensions(StringBuilder sb, string cert2SubjectName, X509ExtensionCollection extColl)
{
int x509ExtensionCount = 0;
sb.Append(string.Format("--------ShowX509Extensions(Start):for:{0}", cert2SubjectName) + System.Environment.NewLine);
foreach (X509Extension ext in extColl)
{
ShowX509Extension(sb, ++x509ExtensionCount, ext);
}
sb.Append(string.Format("--------ShowX509Extensions(End):for:{0}", cert2SubjectName) + System.Environment.NewLine);
}
private static void ShowX509Certificate2(StringBuilder sb, X509Certificate2 cert2)
{
if (null != cert2)
{
sb.Append(string.Format("X509Certificate2.SubjectName.Name='{0}'", cert2.SubjectName.Name) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.Subject='{0}'", cert2.Subject) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.Thumbprint='{0}'", cert2.Thumbprint) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.HasPrivateKey='{0}'", cert2.HasPrivateKey) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.Version='{0}'", cert2.Version) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.NotBefore='{0}'", cert2.NotBefore) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.NotAfter='{0}'", cert2.NotAfter) + System.Environment.NewLine);
sb.Append(string.Format("X509Certificate2.PublicKey.Key.KeySize='{0}'", cert2.PublicKey.Key.KeySize) + System.Environment.NewLine);
////List<X509KeyUsageExtension> keyUsageExtensions = cert2.Extensions.OfType<X509KeyUsageExtension>().ToList();
////List<X509Extension> extensions = cert2.Extensions.OfType<X509Extension>().ToList();
ShowX509Extensions(sb, cert2.Subject, cert2.Extensions);
}
}
private static void ShowX509ChainElementCollection(StringBuilder sb, X509ChainElementCollection ces)
{
int x509ChainElementCount = 0;
foreach (X509ChainElement ce in ces)
{
sb.Append(string.Empty + System.Environment.NewLine);
sb.Append(string.Format("----X509ChainElementNumber:{0}", ++x509ChainElementCount) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.SubjectName.Name='{0}'", ce.Certificate.SubjectName.Name) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.Issuer='{0}'", ce.Certificate.Issuer) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.Thumbprint='{0}'", ce.Certificate.Thumbprint) + System.Environment.NewLine);
sb.Append(string.Format("X509ChainElement.Cert.HasPrivateKey='{0}'", ce.Certificate.HasPrivateKey) + System.Environment.NewLine);
X509Certificate2 cert2 = ce.Certificate as X509Certificate2;
ShowX509Certificate2(sb, cert2);
ShowX509Extensions(sb, cert2.Subject, ce.Certificate.Extensions);
}
}
private static void ShowX509Certificate(StringBuilder sb, X509Certificate cert)
{
sb.Append("-----------------------------------------------" + System.Environment.NewLine);
sb.Append(string.Format("Cert.Subject='{0}'", cert.Subject) + System.Environment.NewLine);
sb.Append(string.Format("Cert.Issuer='{0}'", cert.Issuer) + System.Environment.NewLine);
sb.Append(string.Format("Cert.GetPublicKey().Length='{0}'", cert.GetPublicKey().Length) + System.Environment.NewLine);
X509Certificate2 cert2 = cert as X509Certificate2;
ShowX509Certificate2(sb, cert2);
}
}
}
Upvotes: 0
Reputation: 659
Please see below link once. SecurityProtocolType.SsL3 is now old.
http://codemust.com/poodle-vulnerability-fix-openssl/
Upvotes: 1
Reputation: 2161
I had to enable other security protocol versions to resolve the issue:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;
Upvotes: 165
Reputation: 667
This could be caused by a few things (most likely to least likely):
The server's SSL certificate is untrusted by the client. Easiest check is to point a browser at the URL and see if you get an SSL lock icon. If you get a broken lock, icon, click on it to see what the issue is:
- Expired dates - get a new SSL certificate
- Name does not match - make sure that your URL uses the same server name as the certificate.
- Not signed by a trusted authority - buy a certificate from an authority such as Verisign, or add the certificate to the client's trusted certificate store.
- In test environments you could update your certificate validator to skip access checks. Don't do this in production.
Server is requiring Client SSL certificate - in this case you would have to update your code to sign the request with a client certificate.
Upvotes: 7
Related Questions
- The request was aborted: Could not create SSL/TLS secure channel
- The request was aborted: Could not create SSL/TLS secure channel for HttpWebRequest
- The request was aborted could not create SSL/TLS secure channel - HttpWebRequest
- WebRequest Error - Could not create SSL/TLS secure channel
- the request was aborted Could not a create SSL/TLS secure channel webClient C#
- HttpWebRequest::GetResponse - The request was aborted: Could not create SSL/TLS secure channel
- The request was aborted: Could not create SSL/TLS secure channel
- HTTPWebRequest Could not create SSL/TLS secure channel
- HttpWebRequest results in “The request was aborted: Could not create SSL/TLS secure channel” and returned code=AlgorithmMismatch
- The request was aborted: Could not create SSL/TLS secure channel Exception