Could not create SSL/TLS secure channel for Facebook

Question

I've had social sign-in using Facebook implemented in Production for some time. As of this morning, it is no longer working for me. I am getting the same error in dev (which has no SSL) and in production, which is hosted on Azure Web Sites, and does use SSL.

Here's the error I'm seeing:

[WebException: The request was aborted: Could not create SSL/TLS secure channel.] System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request) +283 System.Net.WebClient.DownloadString(Uri address) +100 DotNetOpenAuth.AspNet.Clients.FacebookClient.QueryAccessToken(Uri returnUrl, String authorizationCode) +350 DotNetOpenAuth.AspNet.Clients.OAuth2Client.VerifyAuthentication(HttpContextBase context, Uri returnPageUrl) +202 DotNetOpenAuth.AspNet.OpenAuthSecurityManager.VerifyAuthentication(String returnUrl) +411 Microsoft.Web.WebPages.OAuth.OAuthWebSecurity.VerifyAuthenticationCore(HttpContextBase context, String returnUrl) +189 Microsoft.Web.WebPages.OAuth.OAuthWebSecurity.VerifyAuthentication(String returnUrl) +139

Anyone else seeing this? My Google login continues to work just fine.

Answer 1

As Igy said, this is due to SSLv3 being disabled by Facebook because of the POODLE exploit.

I had the same thing happen to an app that connects to Twitter. I fixed it by adding this line of code to use TLS. I'm not sure this is the best solution, but it works for now.

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

EDIT: Forgot to mention this, but I added that line to Application_Start of global.asax

Answer 2

Facebook has dropped support for SSL 3.0 across the Facebook Platform API and the Real-Time Updates API, after a vulnerability in the protocol was revealed publicly on October 14, 2014 ( http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html ).

Old versions of the PHP SDK (Facebook PHP SDK 3.1.1 and older) that used SSL 3.0 will now no longer work.

All developers should upgrade to Facebook SDK 3.2.3 or greater. SDK 4.0.0 is recommended.

• PHP SDK 3.2.3: https://developers.facebook.com/docs/reference/php/3.2.3
• PHP SDK 4.0.0: https://developers.facebook.com/docs/reference/php/4.0.0
• Dev Doc: https://developers.facebook.com/docs/apps/changelog#disable-ssl-v30

Answer 3

We have the same problem in a live environment. All accounts were changed at the same time:

• Facebook
• Twiter
• LinkedIn

For twitter I think only needed would be to update Twitterizer.dll or the latest 3rd party Twitter library and check the code changes.

for LinkedIn it would be interesting to use OAuthv2 (or the last one, I do not remember the version release) but i remember it is very very difficult to solve.

For Facebook the same, change the SDK to the last one and relearn the library changes.

October 15th 2014 was planned on August that this was going to happen.

regards,

Isy

Answer 4

why would setting the SecurityProtocol to TLS be a solution? .net should anyway negotiate the highest possible protocol with the server and if TLS is an option prefer that one over SSL, shouldn't it?!