The request was aborted: Could not create SSL/TLS secure channel

Question

.Net Class Library is based on 4.5 and using HtmlAgilityPack, I was calling an https URL and it was working fine.

After the website is updated and will not support old browsers which are not TLS v1.2 compliant. Getting the error -

Tried below article, still it is not working

https://kevinchalet.com/2019/04/11/forcing-an-old-net-application-to-support-tls-1-2-without-recompiling-it/

Answer

@SGH I have managed to resolve the issues on my server by updating the SSL Cipher Suire Order, i had mistakenly removed some of the suites that windows suggested was for TLS1.0 and 1.1 only when in actual fact they were needed for some TLS1.2 connections as well.

I resolved my issues by:

Open Run Prompt and run gpedit.msc
Navigate to "Administrative Templates > Network > SSL Configuration Settings"
Open SSL Cipher Suite Order
Select Enabled
Paste the list of suites below into the text box (make sure there are no spaces)
Click Apply
Restart the server

SSL SUITES:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Note, these suites work for me but you may require other ones for different applications. You should be able to find a full list and more info on the suites here https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel?redirectedfrom=MSDN

I hope this helps to solve your issue

Answer

@SGH add below line prior to the service call
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

Answer

The error is generic and there are many reasons why the SSL/TLS negotiation may fail. ServicePointManager.SecurityProtocol property selects the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to use for new connections; existing c# connections aren't changed. Make sure the ServicePointManager settings are made before the HttpWebRequest is created, else it will not work. Also, you have to enable other security protocol versions to resolve this issue:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
SecurityProtocolType.Tls
SecurityProtocolType.Tls11
SecurityProtocolType.Ssl3;

//createing HttpWebRequest after ServicePointManager settings
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com/api/")

If you create HttpWebRequest before the ServicePointManager settings it will fail and shows the error message.

Answer

@SGH have you managed to resolve this yet? I'm having exactly the same issue windows server 2012 R2 with .net 4.8 application. If I try to force a tls1.3 connection I get the following message

Exception Details: System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

I believe this is due to windows server 2012 not supporting tls1.3, if I force tls1.2 I get this instead

Exception Details: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

The site I'm reading from only supports tls1.2 and 1.3 so I need to make it work with this.

One of the things I recently changed was the SSL Cipher Suite Order, I haven't figured out if this has affected it or not just yet but this is my next point to look at if it helps. I will post another update if I fix it.

Answer

@SGH How did you solve this issue?

The request was aborted: Could not create SSL/TLS secure channel

6 answers