Could not create SSL/TLS secure channel only on Windows Server 2012

Question

I have a peculiar problem where ac# app works on all other machines and other client machines I have tested. But does not establish a connection on my clients Windows Server 2012 hosted by his ISP. This app have been working up to about 2 days ago on this machine according to my client and uses .Net4.5.2. I have no idea what changed the last couple of days unfortunately.

What I have tested on this machine:

• Using Chrome the url works
• Using Edge the url works
• hitting the URL with curl works
• Using IE11 the url does not work
• Using our app does not work
• Using a quick test app does not work

This is the same no matter what settings I change on the server or in the app.

Error from my app:

AuthResponse is null: False 
AuthResponse ErrorException: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at RestSharp.Http.WriteRequestBody(HttpWebRequest webRequest)
   at RestSharp.Http.PostPutInternal(String method)
   at RestSharp.Http.AsPost(String httpMethod)
   at RestSharp.RestClient.DoExecuteAsPost(IHttp http, String method)
   at RestSharp.RestClient.Execute(IRestRequest request, String httpMethod, Func`3 getResponse)
AuthResponse ErrorMessage: The request was aborted: Could not create SSL/TLS secure channel.

Error from IE11:

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Errors From Event Viewer:

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

There are a lot of these errors in event viewer, I just copied three of them in case they are actually relevant.

What I have tried:

I used IISCrypto to change and configure all manner of settings and testing in between. All with the same results. I have modified my app with quite a few changes I have found by searching all with the same results as well. Some of the code changes I made below:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
ServicePointManager.Expect100Continue = true;
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

This is not all the changes I tried. I tried all kinds of different variations as well such as only tls1.2. I have used my little test app as well to connect to other https sites like google and my other rest service and no error is reported on this machine.

Our Auth server uses Lets Encrypts certificates and uses OAth and only accepts tls2.1. I have hit another REST Api that we use that also use Lets Encrypt and that is working. I don't know if I need to update the certificate store (if that is possible), or if there is a setting I'm missing. I'm honestly at a loss here.

Test app source if that helps at all:

static async Task test(string url)
{
    // Call asynchronous network methods in a try/catch block to handle exceptions.
    try
    {
        HttpClient httpClient = new HttpClient();
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

        ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

        var result = await httpClient.GetAsync(url);
        MessageBox.Show(result.StatusCode.ToString());
    }
    catch (HttpRequestException e)
    {
        MessageBox.Show(e.ToString());
    }
}

Answer 1

I also hava same issue like this, after searching for a while, there a view things you need to do:

1. First is need to check the url you need access/query, what type "Connection Encrypted" that Url use? The easy way is open the url via Mozila or chrome then check the "Connection Encrypted" this example for my case

2. Then try search available TLS chiper that available for Windows Server 2012 at there : https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1 ,Find the "Connection Encrypted" from first step, for this step no.2, if you can't found it "Cipher suite string", so it mean you server can't support call that url via C# code.

Event at your code already add : ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; Because Windows Server 2012 can't support that "Connection Encrypted"

Hope can it can help you.

Answer 2

We had the same problem today. Some unsafe cipher suites were removed at our webserver yesterday. Though vulnerable, adding these cipher suites fixed the problem. https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

Here is list of cipher suites: https://support.microsoft.com/en-us/help/2929781/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities

Listing supported cipher suites: https://docs.microsoft.com/nl-nl/windows/win32/secauthn/prioritizing-schannel-cipher-suites?redirectedfrom=MSDN#listing-supported-cipher-suites

Answer 3

You have probably resolved the issue, but I just came across this same issue where an external api call failed due to the same error of "Could not create SSL/TLS Secure Channel".

I spent two days on it and the fix was first checking what TLS version and cipher is supported on the endpoint by using https://www.ssllabs.com/ssltest/

After that, I used IIS Crypto to enable the proper ciphers accordingly, rearrange the ciphers in the order provided by SSLLabs and that resolved the issue.

Answer 4

Maybe this will help someone.

I just had this very problem with Windows Server 2019 Datacenter.

The X.509 certificate I was using to secure my self-hosted service on the server was old and weak, RSA 1024, MD5 hash.

Event Viewer was no help in tracking down the cause.

On a hunch, I replaced the old X.509 with a newer X.509, RSA 4096, SHA256 and the error went away.