Search code examples
c#.netxmlhttpwebrequesttls1.2

SChannel error: The request was aborted: Could not create SSL/TLS secure channel

I am trying to access and consume the XML at the following site: https://www.dhs.gov/ntas/1.1/alerts.xml. However, I keep getting the message: 'The request was aborted: Could not create SSL/TLS secure channel.' when I run my application on our dev server. I do not see anything in our server's event logs.

Strangely, when I access the feed from my localhost, it works fine.

My application is using .Net framework 4.6.2. As I understand, it should support TLS12 by default (unless I am wrong). When surf directly to the link, the browsers I tried -- Chrome, Firefox, Edge -- can access and display the XML successfully. IE11 is the exception and cannot display it.

I have tried adding TLS12 support manually in the following ways:

  • ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072

  • ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

  • ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12

  • ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072 | (SecurityProtocolType)768 | SecurityProtocolType.Tls;

Here is the code I am using. As noted above this works on localhost.

                HttpWebRequest request = (HttpWebRequest)WebRequest.Create(NTASUri);
                request.UserAgent = Request.ServerVariables["HTTP_USER_AGENT"];

                WebResponse response = request.GetResponse();
                Stream dataStream = response.GetResponseStream();
                StreamReader reader = new StreamReader(dataStream);
                string responseFromServer = reader.ReadToEnd();

                XmlDocument xmlDoc = new XmlDocument();

                xmlDoc.LoadXml(responseFromServer);

                return xmlDoc.InnerXml;

Does anyone have any ideas on what can be done to get this working?

Solution

  • My systems person ended up figuring this out, thankfully. We are now able to consume the feed on our server.

    In the registry, the cipher suites listed under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\ key were limited and only a subset of those supported by Windows.

    Deleting the Functions string value which specifies a set of cipher suites returns the Windows client to the default behavior/order.

    Further information:

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

    https://www.windows-security.org/2c488aac52906551ff218fd5c2bdaddc/ssl-cipher-suite-order

    Hope this helps someone else in this situation.