Search code examples
asp.netvb.netgithubxmlreader

XmlReader.Create error "Could not create SSL/TLS secure channel"

On my ASP.net-based website I am aggregating feeds of my activities from several website. One of those is the GitHub feed at https://github.com/lucamauri.atom: this is a valid feed correctly readable using a web browser and it properly worked on my website since a couple of weeks ago. Since then, it started generating errors

In the code I first create and XMLReader and then I load it in a SyndicationFeed object as follows:

Dim TempReader As System.Xml.XmlReader = System.Xml.XmlReader.Create(TempString)
Dim SyndFeed As SyndicationFeed = SyndicationFeed.Load(TempReader)
Dim TempItems As New List(Of SyndicationItem)
TempItems.AddRange(SyndFeed.Items.ToList.GetRange(0, Math.Min(CurrentFeed.TotalElements, SyndFeed.Items.Count)))

This works properly with several feeds, but the GitHub one now generate a TLS error on the first row of the above code:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse() at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
at System.Xml.XmlTextReaderImpl.FinishInitUriString() at System.Xml.XmlTextReaderImpl..ctor(String uriStr, XmlReaderSettings settings, XmlParserContext context, XmlResolver uriResolver)
at System.Xml.XmlReaderSettings.CreateReader(String inputUri, XmlParserContext inputContext)
at System.Xml.XmlReader.Create(String inputUri, XmlReaderSettings settings, XmlParserContext inputContext)
at System.Xml.XmlReader.Create(String inputUri)

I use the same code with other HTTPS feeds (https://stackoverflow.com/feeds/user/69295 just to name one) and I do not get the error. So this is something specific to the GitHub feed, but then again I can reach it from a browser on the same machine where I run the website, so I am lost at it.

Any idea on the cause of the issue?

Solution

  • The server is in control of the protocol that is ultimately negotiated. The Stackoverflow server is requiring only TLS v1 as shown in the wireshark capture below. This trace was done on .Net framework version 4.

    The Github feed refuses anything below TLS v1.2 and therefore fails on .Net 4.0 because that version is not available by default.

    enter image description here

    You can work around it by setting the SecurityProtocol on the ServicePointManager, if you have .Net 4.5+ installed on the same computer. If you don't, then you simply cannot make the request.

    You do this by using the numeric value for the SecurityProtocol instead of the enumeration value which is not available on .Net 4.

    ServicePointManager.SecurityProtocol = DirectCast(3072, SecurityProtocolType)

    enter image description here

    Having done this, you can now negotiate TLS 1.2 even on .Net 4. However, if you can, just upgrade to a newer framework version to make it easy.

    Update

    There is a patch available for .Net 3.5:

    https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework