c#asp.netiistls1.2
TSL/SSL handskahe failing on IIS hosted APP
I know this is a topic asked many times, yet none of the already provided answers helped me.
I have an Asp.NET Web APi on NetFramework 4.7.2 From one of the controllers an http request is made that fails every time when hosted on IIS but not on debug.
On the windows server 2008 where IIS is hosted:
- TLS 1.2 is turned on in the registry
- Strong Encryption is turned on in the registry
- Certificate of target url is in a trusted store
This is how clien is created:
_clientHandler = new WebRequestHandler() { AutomaticDecompression = System.Net.DecompressionMethods.Deflate | System.Net.DecompressionMethods.GZip };
_clientHandler.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
_clientHandler.Proxy = null;
_clientHandler.UseProxy = false;
_client = new HttpClient(_clientHandler);
This is request message:
using (var message = new HttpRequestMessage(HttpMethod.Post, url))
{
message.Headers.TryAddWithoutValidation("Content-Type", "application/x-www-form-urlencoded");
using (var content = CreateUrlContent(request))
{
message.Content = content;
using (var response = await _client .SendAsync(message, HttpCompletionOption.ResponseHeadersRead))
{
return await Deserialize<Models.Token.AccessTokenResponse>(response);
}
}
}
Now exception returned is:
{
"Type": "System.Net.Http.HttpRequestException",
"Message": "An error occurred while sending the request.",
"Data": {},
"InnerException": {
"Type": "System.Net.WebException",
"Status": "SecureChannelFailure",
"Message": "The request was aborted: Could not create SSL\/TLS secure channel.",
"Data": {},
"TargetSite": "System.IO.Stream EndGetRequestStream(System.IAsyncResult, System.Net.TransportContext ByRef)",
"StackTrace": " at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)\r\n at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)",
"Source": "System",
"HResult": -2146233079
},
Now here is trace for the fail (i have renamed the real URL/IP and removed secret key):
System.Net Information: 0 : [7608] Current OS installation type is 'Server'.
System.Net Verbose: 0 : [5424] Entering HttpWebRequest#45858001::HttpWebRequest(https://secret.Url.To.Hide.Com/token#1252827567)
System.Net Information: 0 : [5424] RAS supported: True
System.Net Verbose: 0 : [5424] Exiting HttpWebRequest#45858001::HttpWebRequest()
System.Net Verbose: 0 : [5424] Entering HttpWebRequest#45858001::HttpWebRequest(uri: 'https://secret.Url.To.Hide.Com/token', connectionGroupName: '42319532')
System.Net Verbose: 0 : [5424] Exiting HttpWebRequest#45858001::HttpWebRequest()
System.Net Verbose: 0 : [5424] Entering ServicePoint#54863560::ServicePoint(secret.Url.To.Hide.Com:443)
System.Net Information: 0 : [5424] Associating HttpWebRequest#45858001 with ServicePoint#54863560
System.Net Verbose: 0 : [6548] Entering HttpWebRequest#45858001::BeginGetRequestStream()
System.Net Information: 0 : [6548] Associating Connection#7412602 with HttpWebRequest#45858001
System.Net.Sockets Verbose: 0 : [6548] Entering Socket#63549928::Socket(AddressFamily#2)
System.Net.Sockets Verbose: 0 : [6548] Exiting Socket#63549928::Socket()
System.Net.Sockets Verbose: 0 : [6548] Entering Socket#47270543::Socket(AddressFamily#23)
System.Net.Sockets Verbose: 0 : [6548] Exiting Socket#47270543::Socket()
System.Net.Sockets Verbose: 0 : [6548] Entering DNS::TryInternalResolve(secret.Url.To.Hide.Com)
System.Net.Sockets Verbose: 0 : [6548] Entering Socket#63549928::BeginConnectEx()
System.Net.Sockets Verbose: 0 : [6548] Entering Socket#63549928::InternalBind(0.0.0.0:0#0)
System.Net.Sockets Verbose: 0 : [6548] Exiting Socket#63549928::InternalBind()
System.Net.Sockets Verbose: 0 : [6548] Exiting Socket#63549928::BeginConnectEx() -> ConnectOverlappedAsyncResult#3708755
System.Net Verbose: 0 : [6548] Exiting HttpWebRequest#45858001::BeginGetRequestStream() -> ContextAwareResult#31973720
System.Net.Sockets Verbose: 0 : [3268] Entering Socket#63549928::EndConnect(ConnectOverlappedAsyncResult#3708755)
System.Net.Sockets Verbose: 0 : [3268] Entering Socket#63549928::InternalEndConnect(ConnectOverlappedAsyncResult#3708755)
System.Net.Sockets Information: 0 : [3268] Socket#63549928 - Created connection from 10.3.18.21:49787 to 193.86.xx.xxx:443.
System.Net.Sockets Verbose: 0 : [3268] Exiting Socket#63549928::InternalEndConnect()
System.Net.Sockets Verbose: 0 : [3268] Exiting Socket#63549928::EndConnect()
System.Net.Sockets Verbose: 0 : [3268] Entering Socket#47270543::Close()
System.Net.Sockets Verbose: 0 : [3268] Entering Socket#47270543::Dispose()
System.Net.Sockets Verbose: 0 : [3268] Exiting Socket#47270543::Close()
System.Net Information: 0 : [3268] Connection#7412602 - Created connection from 10.3.18.21:49787 to 193.86.xx.xxx:443.
System.Net Information: 0 : [3268] TlsStream#19483210::.ctor(host=secret.Url.To.Hide.Com, #certs=0, checkCertificateRevocationList=False, sslProtocols=None)
System.Net Information: 0 : [3268] Associating HttpWebRequest#45858001 with ConnectStream#23811154
System.Net Information: 0 : [3268] HttpWebRequest#45858001 - Request: POST /token HTTP/1.1
System.Net Information: 0 : [3268] ConnectStream#23811154 - Sending headers
{
Authorization: Basic YOU DO NOT NEED TO SEE SECRET KEY HERE
Content-Type: application/x-www-form-urlencoded
Host: secret.Url.To.Hide.Com
Content-Length: 289
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
}.
System.Net Information: 0 : [3268] SecureChannel#21312719::.ctor(hostname=secret.Url.To.Hide.Com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [3268] Enumerating security packages:
System.Net Information: 0 : [3268] Negotiate
System.Net Information: 0 : [3268] NegoExtender
System.Net Information: 0 : [3268] Kerberos
System.Net Information: 0 : [3268] NTLM
System.Net Information: 0 : [3268] Schannel
System.Net Information: 0 : [3268] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [3268] WDigest
System.Net Information: 0 : [3268] TSSSP
System.Net Information: 0 : [3268] pku2u
System.Net Information: 0 : [3268] CREDSSP
System.Net Information: 0 : [3268] SecureChannel#21312719 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [3268] SecureChannel#21312719::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Zero), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [3268] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [3268] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = secret.Url.To.Hide.Com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3268] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=164, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [3268] Entering Socket#63549928::BeginSend()
System.Net.Sockets Verbose: 0 : [3268] Exiting Socket#63549928::BeginSend() -> OverlappedAsyncResult#55998275
System.Net.Sockets Verbose: 0 : [9712] Data from Socket#63549928::PostCompletion
System.Net.Sockets Verbose: 0 : [9712] 00000000 : 16 03 03 00 9F 01 00 00-9B 03 03 62 3C 1A 7E 16 : ...........b<.~.
System.Net.Sockets Verbose: 0 : [9712] 00000010 : E3 DC 6F 9F 75 12 6F E1-2B 57 9E CB 88 6E 45 62 : ..o.u.o.+W...nEb
System.Net.Sockets Verbose: 0 : [9712] 00000020 : C8 2B F2 7A 1A 9C 7D 72-F1 CA 22 00 00 20 C0 28 : .+.z..}r..".. .(
System.Net.Sockets Verbose: 0 : [9712] 00000030 : C0 27 C0 14 C0 13 C0 2C-C0 2B C0 24 C0 23 C0 0A : .'.....,.+.$.#..
System.Net.Sockets Verbose: 0 : [9712] 00000040 : C0 09 00 9D 00 9C 00 3D-00 3C 00 35 00 2F 01 00 : .......=.<.5./..
System.Net.Sockets Verbose: 0 : [9712] 00000050 : 00 52 00 00 00 1B 00 19-00 00 16 6F 69 64 63 2E : .R.........oidc.
System.Net.Sockets Verbose: 0 : [9712] 00000060 : 73 61 6E 64 62 6F 78 2E-62 61 6E 6B 69 64 2E 63 : sandbox.bankid.c
System.Net.Sockets Verbose: 0 : [9712] 00000070 : 7A 00 0A 00 08 00 06 00-19 00 18 00 17 00 0B 00 : z...............
System.Net.Sockets Verbose: 0 : [9712] 00000080 : 02 01 00 00 0D 00 14 00-12 06 01 06 03 04 01 05 : ................
System.Net.Sockets Verbose: 0 : [9712] 00000090 : 01 02 01 04 03 05 03 02-03 02 02 00 17 00 00 FF : ................
System.Net.Sockets Verbose: 0 : [9712] 000000A0 : 01 00 01 00 : ....
System.Net.Sockets Verbose: 0 : [9712] Entering Socket#63549928::EndSend(OverlappedAsyncResult#55998275)
System.Net.Sockets Verbose: 0 : [9712] Exiting Socket#63549928::EndSend() -> Int32#164
System.Net.Sockets Verbose: 0 : [9712] Entering Socket#63549928::BeginReceive()
System.Net.Sockets Verbose: 0 : [9712] Exiting Socket#63549928::BeginReceive() -> OverlappedAsyncResult#29428925
System.Net.Sockets Verbose: 0 : [9712] Data from Socket#63549928::PostCompletion
System.Net.Sockets Verbose: 0 : [9712] 00000000 : 15 03 03 00 02 : .....
System.Net.Sockets Verbose: 0 : [9712] Entering Socket#63549928::EndReceive(OverlappedAsyncResult#29428925)
System.Net.Sockets Verbose: 0 : [9712] Exiting Socket#63549928::EndReceive() -> Int32#5
System.Net.Sockets Verbose: 0 : [9712] Entering Socket#63549928::BeginReceive()
System.Net.Sockets Verbose: 0 : [9712] Exiting Socket#63549928::BeginReceive() -> OverlappedAsyncResult#23934571
System.Net.Sockets Verbose: 0 : [8176] Data from Socket#63549928::PostCompletion
System.Net.Sockets Verbose: 0 : [8176] 00000000 : 02 28 : .(
System.Net.Sockets Verbose: 0 : [8176] Entering Socket#63549928::EndReceive(OverlappedAsyncResult#23934571)
System.Net.Sockets Verbose: 0 : [8176] Exiting Socket#63549928::EndReceive() -> Int32#2
System.Net Information: 0 : [8176] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = bc0e160:3343330, targetName = secret.Url.To.Hide.Com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [8176] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [8176] Entering Socket#63549928::Dispose()
System.Net Error: 0 : [8176] Exception in HttpWebRequest#45858001:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Verbose: 0 : [8176] Entering HttpWebRequest#45858001::EndGetRequestStream()
System.Net Error: 0 : [8176] Exception in HttpWebRequest#45858001::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Information: 0 : [7504] ServicePoint#54863560::CloseConnectionGroupInternal(42319532)
System.Net Information: 0 : [7504] ServicePoint#54863560::CloseConnectionGroupHelper(connectionGroupName=42319532, closeInternal=True)
System.Net Information: 0 : [7504] ServicePoint#54863560::ReleaseConnectionGroup(42319532S>I>&<>c#55601314::<.ctor>b__19_0)
System.Net Information: 0 : [7504] ServicePoint#54863560::ReleaseConnectionGroup, returning(true)
System.Net Information: 0 : [7504] ServicePoint#54863560::CloseConnectionGroupHelper, returning(True)
Solution
I don't think that TLS 1.2 has turned on the server, even you set it in registry.
This docs shows that Windows Server 2008 doesn't support TLS1.2.
When the server doesn't support the TLS version which client need, this message will also be reported. So you need to update server to 2012 or 2016. Server 2019 and 2022 are better. Then check if the TLS connection can be created.