无法从 .NET C# 创建 SSL/TLS 安全通道

Question

I'm trying to call an API on my server windows 2008 R2, but I keep getting this error: Could not create SSL/TLS secure channel

I'm launching the app as a Windows service, with the LocalSystem account.

I tried many things from some Question from Stack Overflow to get it started but none of these works:

• With AppContext Switch

• Without AppContext Switch

• With only SSL Protocol 1.2 on Security protocol

• Without SecurityProcotol changed

• With ExpectContinue = 100

   //Config const string DontEnableSystemDefaultTlsVersions = @"Switch.System.Net.DontEnableSystemDefaultTlsVersions"; const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto"; const string DisableUsingServicePointManagerSecurityProtocols = @"Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols"; const string DontEnableSystemDefaultTlsVersionsServiceModel = @"Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions"; AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, false); AppContext.SetSwitch(DontEnableSystemDefaultTlsVersions, true); AppContext.SetSwitch(DisableUsingServicePointManagerSecurityProtocols, false); AppContext.SetSwitch(DontEnableSystemDefaultTlsVersionsServiceModel, true); ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; //API config and Call HttpWebRequest request = (HttpWebRequest)WebRequest.Create(message.Url); request.Credentials = CredentialCache.DefaultCredentials; request.Method = message.Method; System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding(); Byte[] byteArray = encoding.GetBytes(message.Content); request.ContentLength = byteArray.Length; request.ContentType = message.ContentType; request.UserAgent = message.UserAgent; request.Accept = message.Accept; using (Stream dataStream = request.GetRequestStream()) { dataStream.Write(byteArray, 0, byteArray.Length); }

The API need TLS 1.2+ to be called.

I have tested Inte.net Explorer to see if we can call TLS 1.2, and it seems that it can call, I used this https://browserleaks.com/ssl : BrowserLeak

I tried to call the API from Postman online (with Chrome) and the Postman app on the server, both are calling the API without an issue. Same with SoapUI, it works.

It works on my computer (Windows 10), it doesn't work on the server, with the same C# Code.

I tried to change the framework, 4.0, 4.5, 4.6, 4.8, doesn't seem to change something.

I have the SSL Handshake, but it doesn't help very much, it said that there was a Handshake failure (02 28):

    System.Net.Sockets Verbose: 0 : [51080] Exiting Socket#40535505::Send()     -> Int32#174
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.5541547Z
System.Net.Sockets Verbose: 0 : [51080] Entering Socket#40535505::Receive()
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.5541547Z
System.Net.Sockets Verbose: 0 : [51080] Data from Socket#40535505::Receive
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.6151608Z
System.Net.Sockets Verbose: 0 : [51080] 00000000 : 15 03 03 00 02                                  : .....
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.6151608Z
System.Net.Sockets Verbose: 0 : [51080] Exiting Socket#40535505::Receive()  -> Int32#5
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.6151608Z
System.Net.Sockets Verbose: 0 : [51080] Entering Socket#40535505::Receive()
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.6161609Z
System.Net.Sockets Verbose: 0 : [51080] Data from Socket#40535505::Receive
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.6161609Z
System.Net.Sockets Verbose: 0 : [51080] 00000005 : 02 28                                           : .(
    ProcessId=46588
    ThreadId=6
    DateTime=2021-11-24T09:05:57.6161609Z

The Cipher suite seems to be good, I have the first 3 Cipher suite that are required by the API on the beginning of the suite.

The API need the ISRG Root X1 Certificate, which is in the Trusted Root Certification Authorities store.

I used the tool from windows to modify the registry https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392 Which enabled the TLS 1.2, it wasn't activated in browserleaks before I launch the tool.

Also SSL 2.0 and SSL3.0 are disabled and TLS1.0, TLS1.1 and TLS1.2 are activated: Secure channel registry

I can't seem to find a solution to get it worked. How can I try to find a clue to the issue?

Answer 1

We found the issue, the cipher suite required for the API isn't compatible with the windows server 2008 R2, we verified the cipher suite with

https://www.ssllabs.com/ssltest/ with the url of the api

then compared it with the cipher suites on the server located here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

and none of them were matching.