Home > Software engineering >  Troubleshoot TLS1.2 in .NET 4.7.2 / 4.8 with wireshark
Troubleshoot TLS1.2 in .NET 4.7.2 / 4.8 with wireshark

Time:01-27

We have problem with .NET application which runs fine on development PC (win10) but when deployed to "Windows server 2016" production env it reports:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

wireshark difference in Dev and Prod Env On Dev (Win10) there is "Certificate,Client Key Exchange" after "Server Key Exchange" packet Development WS

On Prod (srv 2016) there is "TCP Spurious Retransmission" after "Server Key Exchange" as on screenshot Production WS

Tried with .NET 4.7.2 and 4.8 same error, how to proceed ? It looks like there is problem on production server when PFX cert is used

Dim request As HttpWebRequest = CType(WebRequest.Create("https://obt2b1.service.com/cords/api/"), HttpWebRequest)
request.Method = WebRequestMethods.Http.Post
request.Accept = "application/xml"
request.ContentType = "application/xml"
'Use x509 PFX
request.ClientCertificates.Add(getCert())
request.KeepAlive = True
request.CachePolicy = New System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.NoCacheNoStore)
request.Timeout = 1000000
request.AllowAutoRedirect = True

Dim dataStream As Byte() = Encoding.UTF8.GetBytes(xml_send)
request.ContentLength = dataStream.Length

ServicePointManager.Expect100Continue = true
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

'Here the error "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel." is reported
Dim _stream As Stream = request.GetRequestStream()

...

Private Function getCert() As X509Certificate2
    Dim collection As New X509Certificate2Collection()
    collection.Import("C:\pfx\test.pfx", "xxx", X509KeyStorageFlags.PersistKeySet Or X509KeyStorageFlags.UserKeySet Or X509KeyStorageFlags.MachineKeySet Or X509KeyStorageFlags.Exportable)
    Return collection(0)
End Function

EDITED ... SecurityProtocol moved up same thing

ServicePointManager.Expect100Continue = true
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
Dim request As HttpWebRequest = CType(WebRequest.Create("https://obt2b1.service.com/cords/api/"), HttpWebRequest)
request.Method = WebRequestMethods.Http.Post
request.Accept = "application/xml"
request.ContentType = "application/xml"
'Use x509 PFX
request.ClientCertificates.Add(getCert())
request.KeepAlive = True
request.CachePolicy = New System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.NoCacheNoStore)
request.Timeout = 1000000
request.AllowAutoRedirect = True

Dim dataStream As Byte() = Encoding.UTF8.GetBytes(xml_send)
request.ContentLength = dataStream.Length

'GetRequestStream() gets the error "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel." is reported
Dim _stream As Stream = request.GetRequestStream()

CodePudding user response:

OK after an almost week of testing I found a solution. Things that I tried:

  • windows server 2012R2 (working no problem)
  • windows server 2016 (not working)
  • windows server 2019 (not working)

I tried to enable ALL ciphers and ALL settings in IIS Cryto 3.2 - didn't help. Problem was in worker process on the IIS, you need to enable "Load User Profile" to True

IIS -> Application Pools -> (choose pool) -> Advanced Settings ... Change "Load User Profile" from false to true ...

enter image description here

After that I start IIS Crypto 3.2 set all setting to restrictive as it was before

  •  Tags:  
  • Related