Reputation: 1522
Could not create SSL/TLS secure channel, despite setting ServerCertificateValidationCallback
I'm trying to establish SSL/TLS connection to test server with self-signed certificate. Communication through unsecure channel worked without issues.
Here is my sample code, which I've written based on this solutions: Allowing Untrusted SSL Certificates with HttpClient C# Ignore certificate errors? .NET client connecting to ssl Web API
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
var c = new HttpClient();
var r = c.GetAsync("https://10.3.0.1:8443/rest/v1").Result;
if (r.IsSuccessStatusCode)
{
Log.AddMessage(r.Content.Get<string>());
}
else
{
Log.AddMessage(string.Format("{0} ({1})", (int)r.StatusCode, r.ReasonPhrase));
}
also tried this:
var handler = new WebRequestHandler();
handler.ServerCertificateValidationCallback = delegate { return true; };
var c = new HttpClient(handler);
...
and this
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
but each time I've got an exception:
InnerException: System.Net.Http.HttpRequestException
_HResult=-2146233088
_message=An error occurred while sending the request.
HResult=-2146233088
IsTransient=false
Message=An error occurred while sending the request.
InnerException: System.Net.WebException
_HResult=-2146233079
_message=The request was aborted: Could not create SSL/TLS secure channel.
HResult=-2146233079
IsTransient=false
Message=The request was aborted: Could not create SSL/TLS secure channel.
Source=System
StackTrace:
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
InnerException:
What do I do wrong? Why I can't connect to this server (which has invalid-self-signed certificate)
Upvotes: 105
Views: 233549
Answers (10)
Reputation: 49
If you use .net framework 4.0 use the below line
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
Upvotes: 0
Reputation: 31
If will work perfect if you specify only TLS in security protocol.
try {
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = delegate {
return true;
};
var webClient = new WebClient();
var s = webClient.DownloadString("https://google.com");
Console.WriteLine(s);
} catch (Exception ex) {
Console.WriteLine(ex);
}
Console.ReadLine();
Upvotes: 0
Reputation: 111
I'm using .NET version 4.8 and specifying the SSL protocol during the initialization of the HttpClient worked for me to resolve this issue, as shown below.
var client = new HttpClient(new HttpClientHandler { SslProtocols = SslProtocols.Tls12});
Upvotes: 11
Reputation: 2476
TLS 1.0 and 1.1 are now End of Life. A package on our Amazon web server updated, and we started getting this error.
The answer is above, but you shouldn't use tls or tls11 anymore.
Specifically for ASP.Net, add this to one of your startup methods.
public Startup()
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12;
but I'm sure that something like this will work in many other cases.
Upvotes: 1
Reputation: 34034
In my case TLS1_2 was enabled both on client and server but the server was using MD5 while client disabled it. So, test both client and server on http://ssllabs.com or test using openssl/s_client to see what's happening. Also, check the selected cipher using Wireshark.
Upvotes: 2
Reputation: 131
I came across this thread because I also had the error Could not create SSL/TLS secure channel. In my case, I was attempting to access a Siebel configuration REST API from PowerShell using Invoke-RestMethod, and none of the suggestions above helped.
Eventually I stumbled across the cause of my problem: the server I was contacting required client certificate authentication.
To make the calls work, I had to provide the client certificate (including the private key) with the -Certificate parameter:
$Pwd = 'certificatepassword'
$Pfx = New-Object -TypeName 'System.Security.Cryptography.X509Certificates.X509Certificate2'
$Pfx.Import('clientcert.p12', $Pwd, 'Exportable,PersistKeySet')
Invoke-RestMethod -Uri 'https://your.rest.host/api/' -Certificate $Pfx -OtherParam ...
Hopefully my experience might help someone else who has my particular flavour of this problem.
Upvotes: 0
Reputation: 215
move this line: ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Before this line: HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri);
Original post: KB4344167 security update breaks TLS Code
Upvotes: 7
Reputation: 973
We have been solving the same problem just today, and all you need to do is to increase the runtime version of .NET
4.5.2 didn't work for us with the above problem, while 4.6.1 was OK
If you need to keep the .NET version, then set
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Upvotes: 36
Reputation: 361
Just as a follow up for anyone still running into this – I had added the ServicePointManager.SecurityProfile options as noted in the solution:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
And yet I continued to get the same “The request was aborted: Could not create SSL/TLS secure channel” error. I was attempting to connect to some older voice servers with HTTPS SOAP API interfaces (i.e. voice mail, IP phone systems etc… installed years ago). These only support SSL3 connections as they were last updated years ago.
One would think including SSl3 in the list of SecurityProtocols would do the trick here, but it didn’t. The only way I could force the connection was to include ONLY the Ssl3 protocol and no others:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
Then the connection goes through – seems like a bug to me but this didn’t start throwing errors until recently on tools I provide for these servers that have been out there for years – I believe Microsoft has started rolling out system changes that have updated this behavior to force TLS connections unless there is no other alternative.
Anyway – if you’re still running into this against some old sites/servers, it’s worth giving it a try.
Upvotes: 19
Reputation: 4178
You are doing it right with ServerCertificateValidationCallback. This is not the problem you are facing. The problem you are facing is most likely the version of SSL/TLS protocol.
For example, if your server offers only SSLv3 and TLSv10 and your client needs TLSv12 then you will receive this error message. What you need to do is to make sure that both client and server have a common protocol version supported.
When I need a client that is able to connect to as many servers as possible (rather than to be as secure as possible) I use this (together with setting the validation callback):
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Upvotes: 202
Related Questions
- "Could not create SSL/TLS secure channel" while setting SecurityProtocol and ServerCertificateValidationCallback
- Could not create SSL/TLS secure channel only on Windows Server 2012
- Could not create SSL/TLS secure channel from .NET C#
- WebRequest Error - Could not create SSL/TLS secure channel
- Could not create SSL/TLS secure channel. SecureChannelFailure
- Could not create SSL/TLS secure channel even with certificate
- HTTP C# client: Could not create SSL/TLS secure channel
- SSL Webservice: Could not create SSL/TLS secure channel
- Error "Could not create SSL/TLS secure channel." despite manually setting TLS
- Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true