Could not create ssl tls secure channel

We are unable to connect to an HTTPS server using WebRequest because of this error message:

The request was aborted: Could not create SSL/TLS secure channel.

We know that the server doesn’t have a valid HTTPS certificate with the path used, but to bypass this issue, we use the following code that we’ve taken from another StackOverflow post:

The problem is that server never validates the certificate and fails with the above error. Does anyone have any idea of what should I do?

I should mention that a colleague and I performed tests a few weeks ago and it was working fine with something similar to what I wrote above. The only "major difference" we’ve found is that I’m using Windows 7 and he was using Windows XP. Does that change something?

40 Answers 40

I finally found the answer (I haven’t noted my source but it was from a search);

While the code works in Windows XP, in Windows 7, you must add this at the beginning:

And now, it works perfectly.

ADDENDUM

As mentioned by Robin French; if you are getting this problem while configuring PayPal, please note that they won’t support SSL3 starting by December, 3rd 2018. You’ll need to use TLS. Here’s Paypal page about it.

The solution to this, in .NET 4.5 is

If you don’t have .NET 4.5 then use

Make sure the ServicePointManager settings are made before the HttpWebRequest is created, else it will not work.

The problem you’re having is that the aspNet user doesn’t have access to the certificate. You have to give access using the winhttpcertcfg.exe

An example on how to set this up is at: http://support.microsoft.com/kb/901183

Under step 2 in more information

EDIT: In more recent versions of IIS, this feature is built in to the certificate manager tool — and can be accessed by right clicking on the certificate and using the option for managing private keys. More details here: https://serverfault.com/questions/131046/how-to-grant-iis-7-5-access-to-a-certificate-in-certificate-store/132791#132791

The error is generic and there are many reasons why the SSL/TLS negotiation may fail. The most common is an invalid or expired server certificate, and you took care of that by providing your own server certificate validation hook, but is not necessarily the only reason. The server may require mutual authentication, it may be configured with a suites of ciphers not supported by your client, it may have a time drift too big for the handshake to succeed and many more reasons.

The best solution is to use the SChannel troubleshooting tools set. SChannel is the SSPI provider responsible for SSL and TLS and your client will use it for the handshake. Take a look at TLS/SSL Tools and Settings.

I had this problem trying to hit https://ct.mob0.com/Styles/Fun.png, which is an image distributed by CloudFlare on it’s CDN that supports crazy stuff like SPDY and weird redirect SSL certs.

Instead of specifying Ssl3 as in Simons answer I was able to fix it by going down to Tls12 like this:

After many long hours with this same issue I found that the ASP.NET account the client service was running under didn’t have access to the certificate. I fixed it by going into the IIS Application Pool that the web app runs under, going into Advanced Settings, and changing the Identity to the LocalSystem account from NetworkService .

A better solution is to get the certificate working with the default NetworkService account but this works for quick functional testing.

Something the original answer didn’t have. I added some more code to make it bullet proof.

Another possibility is improper certificate importation on the box. Make sure to select encircled check box. Initially I didn’t do it, so code was either timing out or throwing same exception as private key could not be located.

The "The request was aborted: Could not create SSL/TLS secure channel" exception can occur if the server is returning an HTTP 401 Unauthorized response to the HTTP request.

You can determine if this is happening by turning on trace-level System.Net logging for your client application, as described in this answer.

Once that logging configuration is in place, run the application and reproduce the error, then look in the logging output for a line like this:

In my situation, I was failing to set a particular cookie that the server was expecting, leading to the server responding to the request with the 401 error, which in turn led to the "Could not create SSL/TLS secure channel" exception.

The root of this exception in my case was that at some point in code the following was being called:

This is really bad. Not only is it instructing .NET to use an insecure protocol, but this impacts every new WebClient (and similar) request made afterward within your appdomain. (Note that incoming web requests are unaffected in your ASP.NET app, but new WebClient requests, such as to talk to an external web service, are).

In my case, it was not actually needed, so I could just delete the statement and all my other web requests started working fine again. Based on my reading elsewhere, I learned a few things:

  • This is a global setting in your appdomain, and if you have concurrent activity, you can’t reliably set it to one value, do your action, and then set it back. Another action may take place during that small window and be impacted.
  • The correct setting is to leave it default. This allows .NET to continue to use whatever is the most secure default value as time goes on and you upgrade frameworks. Setting it to TLS12 (which is the most secure as of this writing) will work now but in 5 years may start causing mysterious problems.
  • If you really need to set a value, you should consider doing it in a separate specialized application or appdomain and find a way to talk between it and your main pool. Because it’s a single global value, trying to manage it within a busy app pool will only lead to trouble. This answer: https://stackoverflow.com/a/26754917/7656 provides a possible solution by way of a custom proxy. (Note I have not personally implemented it.)

Another possible cause of the The request was aborted: Could not create SSL/TLS secure channel error is a mismatch between your client PC’s configured cipher_suites values, and the values that the server is configured as being willing and able to accept. In this case, when your client sends the list of cipher_suites values that it is able to accept in its initial SSL handshaking/negotiation "Client Hello" message, the server sees that none of the provided values are acceptable, and may return an "Alert" response instead of proceeding to the "Server Hello" step of the SSL handshake.

To investigate this possibility, you can download Microsoft Message Analyzer, and use it to run a trace on the SSL negotiation that occurs when you try and fail to establish an HTTPS connection to the server (in your C# app).

If you are able to make a successful HTTPS connection from another environment (e.g. the Windows XP machine that you mentioned — or possibly by hitting the HTTPS URL in a non-Microsoft browser that doesn’t use the OS’s cipher suite settings, such as Chrome or Firefox), run another Message Analyzer trace in that environment to capture what happens when the SSL negotiation succeeds.

Hopefully, you’ll see some difference between the two Client Hello messages that will allow you to pinpoint exactly what about the failing SSL negotiation is causing it to fail. Then you should be able to make configuration changes to Windows that will allow it to succeed. IISCrypto is a great tool to use for this (even for client PCs, despite the "IIS" name).

The following two Windows registry keys govern the cipher_suites values that your PC will use:

Here’s a full writeup of how I investigated and solved an instance of this variety of the Could not create SSL/TLS secure channel problem: http://blog.jonschneider.com/2016/08/fix-ssl-handshaking-error-in-windows.html

I had this problem because my web.config had:

As you can tell there are plenty of reasons this might happen. Thought I would add the cause I encountered .

If you set the value of WebRequest.Timeout to 0 , this is the exception that is thrown. Below is the code I had. (Except instead of a hard-coded 0 for the timeout value, I had a parameter which was inadvertently set to 0 ).

This one is working for me in MVC webclient

I have struggled with this problem all day.

When I created a new project with .NET 4.5 I finally got it to work.

But if I downgraded to 4.0 I got the same problem again, and it was irreversable for that project (even when i tried to upgrade to 4.5 again).

Strange no other error message but "The request was aborted: Could not create SSL/TLS secure channel." came up for this error

In case that the client is a windows machine, a possible reason could be that the tls or ssl protocol required by the service is not activated.

This can be set in:

Control Panel -> Network and Internet -> Internet Options -> Advanced

Scroll settings down to "Security" and choose between

  • Use SSL 2.0
  • Use SSL 3.0
  • Use TLS 1.0
  • Use TLS 1.1
  • Use TLS 1.2

In my case, the service account running the application did not have permission to access the private key. Once I gave this permission, the error went away

  1. mmc
  2. certificates
  3. Expand to personal
  4. select cert
  5. right click
  6. All tasks
  7. Manage private keys
  8. Add

If you are running your code from Visual Studio, try running Visual Studio as administrator. Fixed the issue for me.

The top-voted answer will probably be enough for most people. However, in some circumstances, you could continue getting a "Could not create SSL/TLS secure channel" error even after forcing TLS 1.2. If so, you may want to consult this helpful article for additional troubleshooting steps. To summarize: independent of the TLS/SSL version issue, the client and server must agree on a "cipher suite." During the "handshake" phase of the SSL connection, the client will list its supported cipher-suites for the server to check against its own list. But on some Windows machines, certain common cipher-suites may have been disabled (seemingly due to well-intentioned attempts to limit attack surface), decreasing the possibility of the client & server agreeing on a cipher suite. If they cannot agree, then you may see "fatal alert code 40" in the event viewer and "Could not create SSL/TLS secure channel" in your .NET program.

The aforementioned article explains how to list all of a machine’s potentially-supported cipher suites and enable additional cipher suites through the Windows Registry. To help check which cipher suites are enabled on the client, try visiting this diagnostic page in MSIE. (Using System.Net tracing may give more definitive results.) To check which cipher suites are supported by the server, try this online tool (assuming that the server is Internet-accessible). It should go without saying that Registry edits must be done with caution, especially where networking is involved. (Is your machine a remote-hosted VM? If you were to break networking, would the VM be accessible at all?)

In my company’s case, we enabled several additional "ECDHE_ECDSA" suites via Registry edit, to fix an immediate problem and guard against future problems. But if you cannot (or will not) edit the Registry, then numerous workarounds (not necessarily pretty) come to mind. For example: your .NET program could delegate its SSL traffic to a separate Python program (which may itself work, for the same reason that Chrome requests may succeed where MSIE requests fail on an affected machine).

Comments

Copy link Quote reply

aleles commented Dec 31, 2014

Hi, we get this error on some orders in RegisterButton. Other orders go through fine. Do you know what could cause it?

The request was aborted: Could not create SSL/TLS secure channel.

This comment has been minimized.

Copy link Quote reply

bchavez commented Dec 31, 2014

Seems to be more of an underlying .NET issue with SSL.

Let me know if that works for you.

This comment has been minimized.

Copy link Quote reply

bchavez commented Feb 13, 2015

For the time being, I’ll be closing the issue since I think this is more of a underlying .NET configuration issue. If you’re still having trouble, please let me know and I’ll be happy to re-open this issue and investigate it further.

This comment has been minimized.

Copy link Quote reply

gmz-dev commented Apr 29, 2015

I’ve recently downloaded your source code and built additional methods using the information on CoinBase API that are required for my application.

My application is a Windows Service and is scheduled to run hourly. I’m encountering the same issue with my application on creating secure SSL/TLS channel.

Exception Message : The request was aborted: Could not create SSL/TLS secure channel.

Can you please help with the fix for this issue.

Thank you for your help in advance.

This comment has been minimized.

Copy link Quote reply

bchavez commented Apr 29, 2015

@gmz-dev , I’m sorry your having problems using the Coinbase API. Honestly, I cannot reproduce this error; therefore, my options in providing help are somewhat limited.

What you’ll need to do is:

  1. Provide a stack trace when this exception occurs and any additional information to help debug the issue.
  2. Set the SecurityProtocol in your Program.Main() before running any Coinbase API calls. Try playing with different ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3; settings as mentioned in the link above.
    Set the SecurityProtocol in your Program.Main() before running any Coinbase API calls.
  3. Pull the latest hotfixes for the .NET framework from Windows Update.

Again, I don’t think this problem is related to the code in this repository per se but more of an underlying .NET Secure Socket / SSL handshake issue between Coinbase’s API servers and the underlying SSL implementation in the .NET framework (which RestSharp is using).

This comment has been minimized.

Copy link Quote reply

aleles commented Apr 29, 2015

@gmz-dev We had this issue dropped for a few months, but we started experiencing it again recently. I’m talking to the Coinbase support about it. Also, I just created a public thread on their forum here https://community.coinbase.com/t/could-not-create-ssl-tls-secure-channel/2640

I feel like one or more of their boxes have CAs configured in a way our servers can’t establish the connection.

November 16, 2018 — J. Tower

Could not create SSL/TLS secure channel

Recently, a legacy ASP.NET Web API application that we support started logging an exception and also giving back a HTTP 500 response on some of its API endpoints. The exception, or at least an inner exception within it, was:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel

With SSL3 and TLS1.0 being deprecated, I figured this had to do with a version mismatch between the browser and the server. In fact, that was true. The reason why the security protocol didn’t default to TLS 1.2 in my application is because it was running on .NET 4.6.2, and in .NET 4.6x there is no default set for the security protocol. Also, it was running on a version of Windows (2012 R2) that didn’t have newer versions of TLS enabled by default.

One solution to this is to recompile your website either specifying a default or targeting .NET 4.7, which does have a default value of SecurityProtocolType.SystemDefault. According to the Microsoft .NET documentation, this setting “allows .NET Framework networking APIs based on SslStream (such as FTP, HTTP, and SMTP) to inherit the default security protocols from the operating system or from any custom configurations performed by a system administrator”. In my case, that may not have helped since the OS didn’t have TLS1.2 enabled.

Strong Cryptography Mode

I wasn’t able to recompile the application at the time, anyway, and so needed to find another way to fix the issue by reconfiguring the OS. In the end, I was able to fix the issue by enabling something called “strong cryptography mode” in Windows on the web server, which you can read more background about here.

To make the change, I simply had to run the two commands below in an elevated PowerShell prompt on the server. The first command is for x64 .NET and the second for x86 .NET.

After those commands are run, you can run the following command to verify the setup:

This will list the enabled SSL/TLS protocols, which in my case now includes TLS12 (that is, TLS 1.2).

Finally, I simply reset IIS to restart my application, and I now no longer get the “Could not create SSL/TLS secure channel” exception and the API longer returns HTTP 500 responses!


[an error occurred while processing the directive]
Карта сайта