无法创建 SSL/TLS 安全通道。 安全通道故障

Question

I'm getting an SSL error when making a SOAP call with an SSL certificate:

The request was aborted: Could not create SSL/TLS secure channel.

The weird thing is that if I load the certificate in Firefox and visit the endpoint or make a call to the API without sending any data, I don't get any error message and it connects successfully. The company exposing the API has also mentioned that the certificate is kosher.

The certificate I'm loading has full privileges to "Everyone". I've tried every solution I've seen on the internet but still getting the error.

Here is my code that creates the request:

 ServicePointManager.Expect100Continue = true;
 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
 var request = (HttpWebRequest)WebRequest.Create(plugin.EndPoint);
 request.ContentType = "text/xml; charset=utf-8";
 request.Method = "POST";

The code to get the certificate (I've also tried with a pfx):

var cert = new 
 509Certificate2(@"C:\clientcert.p12", "FakePassword");
request.ClientCertificates.Add(cert);

and the code for the request:

  byte[] byteArray = Encoding.UTF8.GetBytes(xml);
    request.ContentLength = byteArray.Length;
    using (var dataStream = request.GetRequestStream())
                {
                    dataStream.Write(byteArray, 0, byteArray.Length);
                    dataStream.Close();


                    using (WebResponse response = request.GetResponse())
                    {
                        using (var responseStream = response.GetResponseStream())
                        {
                            StreamReader reader = 
new StreamReader(responseStream ?? throw new InvalidOperationException());
                            return reader.ReadToEnd();
                        }
                    }

                }

Edit:

Here is the trace output from running the request:

System.Net Information: 0 : [11844] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown). System.Net Error: 0 : [11844] Exception in HttpWebRequest#63832831:: - The request was aborted: Could not create SSL/TLS secure channel.. System.Net Error: 0 : [11844] Exception in HttpWebRequest#63832831::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

I also changed the SecurityProtocol:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; 

Second Edit: I can get it to work in SoapUI but not in the .NET application by just loading the SSL certificate from the file system in SOAP UI.

Answer 1

Out of interest, your app is using the TLS 1.0, 1.1 and 1.2 protocols, but is its use enabled in Internet Explorer?

If it's not in the web.config, add it

<appSettings>
    <add key="SecurityProtocol" value="Tls12" />
</appSettings>

Then also check it's enabled in IE in the advanced settings tab: "Use TLS 1.2"

Answer 2

Your SSL certificate is signed by a root certificate that isn't installed in Windows.

Firefox ships with it's own trusted root cert list that contains the root cert for the cert you're using. Just because Firefox trusts a cert doesn't mean that Windows trusts it.

The solution is to install your cert's root cert or cert chain on the computer running your app.

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development

If this is an app with a wide audience, an easier solution is to switch to an SSL provider that already uses a root cert that ships with Windows.

Answer 3

Sometimes I have this error as well. The steps I take to overcome this problem are as follows:

1. Export your certificate from IIS
2. Double click the certificate and follow the wizard
3. Store location 'Local machine' next ->
4. Fill in the password you have picked during the export
5. Check the option to place the certificate in a store and choose your 'Trusted Root Certification Authorities'
6. Finish -> to check if the import was successful type in 'Windows search' 'certmgr.msc' navigate to the 'Trusted Root Certification Authorities' and then the certificates folder. The imported certificate should be present.
7. Test with your application.

I hope it helps