TLS connection handshake Failure

Question

We have difficulties to make https connections to the remote machines (like PayPal vb.) who disabled SSL3 protocol from our .Net application. We are getting following exception on GetResponse method of HttpWebRequest instance.

The request was aborted: Could not create SSL/TLS secure channel.

When we go depth and trace network logs with WireShark, we see that remote machine return the following error

TLSv1.2 Alert (Level: Fatal, Description: Handshake Failure) Handshake Failure 40

More interesting situation is when I try enter to PayPal address to the internet browser, it can successfully open the page, which means that connection can be established, We also try to connect with OpenSSL command tool, result is again succesfully connected.

When we compare the WireShark logs of InternetExplorer and .Net application we can see that Internet Explorer is sending more available cipher suites than .Net application, and also PayPal is selecting the following cipher which is not in .Net applications requests.

TLS_RSA_WITH_RC4_128_SHA

Followings are captured logs from WireShark:

ServerMachine:.Net application Client Hello ServerMachine:.Net application Server Response ServerMachine:InternetExplorer Client Hello ServerMachine:InternetExplorer Server Hello

Followings are captured from our development machines which is working without a problem. DevMachine:.Net application Client Hello DevMachine:.Net application Server Hello

What we think that PayPal doesn't like our Cipher Suites that we send on "Client Hello" request from .Net application.

More more interesting situation is this problem only occured on our production machines which are running Windows 2008 R2, everythins is working on our dev enviroment with Windows Server 2008 R2 and Windows 8 pcs.

Please give us some idea to solve this problem.

Following is our C# code to connect PayPal api.

HttpWebRequest wr = (HttpWebRequest)WebRequest.Create("https://api-3t.sandbox.paypal.com/2.0/");

wr.Method = "POST";
wr.ContentType = "application/x-www-form-urlencoded";


string output = null;
try
{
    WebResponse wres = wr.GetResponse();
    Stream ress = wres.GetResponseStream();
    StreamReader ressr = new StreamReader(ress, Encoding.UTF8);
    output = ressr.ReadToEnd();
}
catch (System.Net.WebException webEx)
{
    if (webEx.Response != null)
    {
        WebResponse wres = webEx.Response;
        Stream ress = wres.GetResponseStream();
        StreamReader ressr = new StreamReader(ress);
        output = ressr.ReadToEnd();
    }
    else
        throw webEx;

}
catch (Exception ex)
{
    throw ex;
}

Best Regards

Answer 1

What we think that PayPal doesn't like our Cipher Suites that we send on "Client Hello" request from .Net application.

This is correct. If you look at ssllabs you will see, that api-3t.sandbox.paypal.com supports only RC4-SHA (TLS_RSA_WITH_RC4_128_SHA) which is not included in your cipher set.

More more interesting situation is this problem only occured on our production machines which are running Windows 2008 R2

It might be that you've added some hardening to the production systems and disabled RC4-SHA, because this cipher is considered insecure. See Microsoft Technet for a matching recommendation which you have probably implemented.