The request was aborted: Could not create SSL/TLS secure channel exception calling openai api from windows 2012 R2 server

Question

In a C# DOTNET 4.8 ASP.NET MVC 5 project running on a Windows 2012 R2 server, I call OpenAi API (v1/chat/completions) using the RestSharp.RestClient like this:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

var client = new RestClient("[link to openai]");
var request = new RestRequest { Method = Method.Post };
request.AddParameter("application/json", body, ParameterType.RequestBody);
request.AddHeader("Authorization", $"Bearer {OpenAiApiKey}");

var response = await client.ExecuteAsync(request);
return response.Content;

On my localhost (Windows 10), response.Content contains what I expect, with no errors.

On the production machine, the response contains the exception: “The request was aborted: Could not create SSL/TLS secure channel.” (The call worked on the server not long ago).

ChatGPT suggests to enable TLS 1.2 in the registry:

Enable TLS 1.2 explicitly on the server > modify the registry settings:

• Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
• Create a new key under "Protocols" called "TLS 1.2" if it doesn't already exist.
• Under the "TLS 1.2" key, create a new key called "Client".
• Under the "Client" key, create a new DWORD value called "DisabledByDefault" and set its value to 0.
• Under the "Client" key, create a new DWORD value called "Enabled" and set its value to 1.
• Restart the server for the changes to take effect.

Does the ChatGPT suggestion check out?

What am I missing?

/Morten

This is what the Internet options look like:

According to this post (Could not create SSL/TLS secure channel from .NET C#) one problem could be missing cipher suites as listed in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

I'm unsure how to interpret the ssllabs.com analysis vis-a-vis the server's cipher suites.

I ran this powershell code (from this thread: Default SecurityProtocol in .NET 4.5):

$runtimeVersion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo([System.Int32].Assembly.Location).ProductVersion
Write-Host "Runtime: $runtimeVersion"

$enabledProtocols = [System.Net.ServicePointManager]::SecurityProtocol
Write-Host "Enabled protocols: $enabledProtocols"

Write-Host "Available protocols: "
$platformSupportsTls12 = $false
foreach ($protocol in [Enum]::GetValues([System.Net.SecurityProtocolType])) {
    $protocolValue = [int]$protocol
    Write-Host $protocolValue
    if ($protocolValue -eq 3072) {
        $platformSupportsTls12 = $true
    }
}

$isTls12Enabled = [System.Net.ServicePointManager]::SecurityProtocol.HasFlag([System.Net.SecurityProtocolType]::Tls12)
Write-Host "Is Tls12 enabled: $isTls12Enabled"

And the results were: Runtime: 4.8.4645.0 Enabled protocols: Ssl3, Tls Available protocols: 0 48 192 768 3072 12288 Is Tls12 enabled: False

So it seems I must enable Tls12 on the server (looking into the ways to enable thishttps://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5/28333370#28333370) ...

IIS Crypto 3.3 results appear to allow TLS12, which runs counter to the powershell result:

$isTls12Enabled = [System.Net.ServicePointManager]::SecurityProtocol.HasFlag([System.Net.SecurityProtocolType]::Tls12)

$isTls12Enabled = False

Not sure what to make of this...

Both Internet Explorer 11 and Firefox appear to be able to communicate via TLS12. Internet Explorer appears also to support TLS10 and TLS11: