1

I'm trying to call an API on my server windows 2008 R2, but I keep getting this error : Could not create SSL/TLS secure channel

I'm launching the app as a Windows service, with the LocalSystem account.

I tried many things from some Question from Stack Overflow to get it started but none of these works:

  • With AppContext Switch

  • Without AppContext Switch

  • With only SSL Protocol 1.2 on Security protocol

  • Without SecurityProcotol changed

  • With ExpectContinue = 100

     //Config const string DontEnableSystemDefaultTlsVersions = @"Switch.System.Net.DontEnableSystemDefaultTlsVersions"; const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto"; const string DisableUsingServicePointManagerSecurityProtocols = @"Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols"; const string DontEnableSystemDefaultTlsVersionsServiceModel = @"Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions"; AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, false); AppContext.SetSwitch(DontEnableSystemDefaultTlsVersions, true); AppContext.SetSwitch(DisableUsingServicePointManagerSecurityProtocols, false); AppContext.SetSwitch(DontEnableSystemDefaultTlsVersionsServiceModel, true); ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; //API config and Call HttpWebRequest request = (HttpWebRequest)WebRequest.Create(message.Url); request.Credentials = CredentialCache.DefaultCredentials; request.Method = message.Method; System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding(); Byte[] byteArray = encoding.GetBytes(message.Content); request.ContentLength = byteArray.Length; request.ContentType = message.ContentType; request.UserAgent = message.UserAgent; request.Accept = message.Accept; using (Stream dataStream = request.GetRequestStream()) { dataStream.Write(byteArray, 0, byteArray.Length); }

The API need TLS 1.2+ to be called.

I have tested Internet Explorer to see if we can call TLS 1.2, and it seems that it can call, I used this https://browserleaks.com/ssl : BrowserLeak

I tried to call the API from Postman online (with Chrome) and the Postman app on the server, both are calling the API without an issue. Same with SoapUI, it works.

It works on my computer (Windows 10), it doesn't work on the server, with the same C# Code.

I tried to change the framework, 4.0, 4.5, 4.6, 4.8, doesn't seem to change something.

I have the SSL Handshake, but it doesn't help very much, it said that there was a Handshake failure (02 28):

 System.Net.Sockets Verbose: 0 : [51080] Exiting Socket#40535505::Send() -> Int32#174 ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.5541547Z System.Net.Sockets Verbose: 0 : [51080] Entering Socket#40535505::Receive() ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.5541547Z System.Net.Sockets Verbose: 0 : [51080] Data from Socket#40535505::Receive ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.6151608Z System.Net.Sockets Verbose: 0 : [51080] 00000000 : 15 03 03 00 02 : ..... ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.6151608Z System.Net.Sockets Verbose: 0 : [51080] Exiting Socket#40535505::Receive() -> Int32#5 ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.6151608Z System.Net.Sockets Verbose: 0 : [51080] Entering Socket#40535505::Receive() ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.6161609Z System.Net.Sockets Verbose: 0 : [51080] Data from Socket#40535505::Receive ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.6161609Z System.Net.Sockets Verbose: 0 : [51080] 00000005 : 02 28 : .( ProcessId=46588 ThreadId=6 DateTime=2021-11-24T09:05:57.6161609Z

The Cipher suite seems to be good, I have the first 3 Cipher suite that are required by the API on the beginning of the suite.

The API need the ISRG Root X1 Certificate, which is in the Trusted Root Certification Authorities store.

I used the tool from windows to modify the registry https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392 Which enabled the TLS 1.2, it wasn't activated in browserleaks before I launch the tool.

Also SSL 2.0 and SSL3.0 are disabled and TLS1.0, TLS1.1 and TLS1.2 are activated: Secure channel registry

I can't seem to find a solution to get it worked. How can I try to find a clue to the issue?

Improve this question
3
  • Have you tried with different credentials? Seems that the executing account on the server does not have enough permissions ... Commented Nov 24, 2021 at 16:28
  • @DimiTakis I'm lauching the app as a Windows service, with the LocalSystem account, should i try to change the account for the NetworkSystem account or another ? Commented Nov 26, 2021 at 8:37
  • Just create a local user account & let your app run under its context Commented Dec 5, 2021 at 9:40

1 Answer 1

Reset to default
1

We found the issue, the cipher suite required for the API isn't compatible with the windows server 2008 R2, we verified the cipher suite with

https://www.ssllabs.com/ssltest/ with the url of the api

then compared it with the cipher suites on the server located here :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

and none of them were matching.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.