Could not create SSL/TLS secure channel. SecureChannelFailure

Question

I'm getting an SSL error when making a SOAP call with an SSL certificate:

The request was aborted: Could not create SSL/TLS secure channel.

The weird thing is that if I load the certificate in Firefox and visit the endpoint or make a call to the API without sending any data, I don't get any error message and it connects successfully. The company exposing the API has also mentioned that the certificate is kosher.

The certificate I'm loading has full privileges to "Everyone". I've tried every solution I've seen on the internet but still getting the error.

Here is my code that creates the request:

 ServicePointManager.Expect100Continue = true;
 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
 var request = (HttpWebRequest)WebRequest.Create(plugin.EndPoint);
 request.ContentType = "text/xml; charset=utf-8";
 request.Method = "POST";

The code to get the certificate (I've also tried with a pfx):

var cert = new 
 509Certificate2(@"C:\clientcert.p12", "FakePassword");
request.ClientCertificates.Add(cert);

and the code for the request:

  byte[] byteArray = Encoding.UTF8.GetBytes(xml);
    request.ContentLength = byteArray.Length;
    using (var dataStream = request.GetRequestStream())
                {
                    dataStream.Write(byteArray, 0, byteArray.Length);
                    dataStream.Close();


                    using (WebResponse response = request.GetResponse())
                    {
                        using (var responseStream = response.GetResponseStream())
                        {
                            StreamReader reader = 
new StreamReader(responseStream ?? throw new InvalidOperationException());
                            return reader.ReadToEnd();
                        }
                    }

                }

Edit:

Here is the trace output from running the request:

System.Net Information: 0 : [11844] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown). System.Net Error: 0 : [11844] Exception in HttpWebRequest#63832831:: - The request was aborted: Could not create SSL/TLS secure channel.. System.Net Error: 0 : [11844] Exception in HttpWebRequest#63832831::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

I also changed the SecurityProtocol:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Second Edit: I can get it to work in SoapUI but not in the .NET application by just loading the SSL certificate from the file system in SOAP UI.

*... or make a call to the API without sending any data, I don't get any error message* - Are you sure that you actually contact the server in this case? - You could try applying all values to SecurityProtocol as currently its TLS 1.2 or nothing. If you enable Tracing on the request you will get detailed logs. — Alex K., Jul 11 '18 at 14:51
After so much research, this [thread](https://stackoverflow.com/questions/2859790/the-request-was-aborted-could-not-create-ssl-tls-secure-channel) work for me! — Tuxpilgrim, Jul 11 '18 at 14:51
System.NET tracing said "returned code=CertUnknown", so it must contain other information for you to dig. Similar threads like https://stackoverflow.com/questions/9858275/net-application-fails-to-send-client-certificate-win-7-vs-win-xp should give you some hints. — Lex Li, Jul 12 '18 at 16:08
it is an "it did not work" exception message. Pretty intentional, they don't want to give an attacker too much info about what he did wrong. Enable logging on the other machine so you know *exactly* what went wrong: https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis If the log content doesn't help then you now have good info to ask a question at serverfault.com — Hans Passant, Jul 16 '18 at 18:23

score 1 · Answer 1 · answered Jul 23 '18 at 08:02

Out of interest, your app is using the TLS 1.0, 1.1 and 1.2 protocols, but is its use enabled in Internet Explorer?

If it's not in the web.config, add it

<appSettings>
    <add key="SecurityProtocol" value="Tls12" />
</appSettings>

Then also check it's enabled in IE in the advanced settings tab: "Use TLS 1.2"

Terry Carmen · Answer 2 · 2018-07-16T17:53:30.627

0

Your SSL certificate is signed by a root certificate that isn't installed in Windows.

Firefox ships with it's own trusted root cert list that contains the root cert for the cert you're using. Just because Firefox trusts a cert doesn't mean that Windows trusts it.

The solution is to install your cert's root cert or cert chain on the computer running your app.

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development

If this is an app with a wide audience, an easier solution is to switch to an SSL provider that already uses a root cert that ships with Windows.

edited Jul 16 '18 at 17:53

answered Jul 16 '18 at 17:26

Terry Carmen

3,328
1
12
26

I used openssl to self sign the certificate for testing purposes. In the code above I load it from my hard drive but when I retrieve it using a thumbprint in my cert local store, I'm getting the same error. – Eitan Jul 16 '18 at 17:32
See the above link. – Terry Carmen Jul 16 '18 at 18:10
I guess I could use MakeCert instead of OpenSSL but this certificate has worked with other implementations and they've validated it on their side. I would need to continue to use that certificate unless I can give good enough reason why it's not working or makecert is a better alternative to openssl – Eitan Jul 16 '18 at 18:47
Do you have a self-signed certificate that's been working or do you have an actual certificate from a Certification Authority that you've been using? Is this deployed across an enterprise or just one a couple of machines? – Terry Carmen Jul 16 '18 at 19:04
I have a self signed certificate that I've been working with. It expires in 2026 so the 3rd party wanted to continue using that certificate. Our application is deployed in Azure but I'm testing on my local machine. I'm not sure about their architecture. – Eitan Jul 16 '18 at 19:22
It sounds like they have already installed it and it's only broken for you. In that case adding it to the Windows certificate store should take care of it. You shouldn't need to regenerate the certificate. You should be able to import it using the Certificate Import Wizard in Internet Explorer. – Terry Carmen Jul 16 '18 at 19:37
I added it to my localstore and load it using a thumbprint. I just use windows certificate manager instead of internet explorer because I want to call it from a .NET application – Eitan Jul 16 '18 at 19:44
You can add it from almost anywhere except Firefox. Firefox maintains it's own cert store. Pretty much everything else uses the Windows certificate store. – Terry Carmen Jul 16 '18 at 19:55

score 0 · Answer 3 · answered Jul 23 '18 at 12:01

Sometimes I have this error as well. The steps I take to overcome this problem are as follows:

Export your certificate from IIS
Double click the certificate and follow the wizard
Store location 'Local machine' next ->
Fill in the password you have picked during the export
Check the option to place the certificate in a store and choose your 'Trusted Root Certification Authorities'
Finish -> to check if the import was successful type in 'Windows search' 'certmgr.msc' navigate to the 'Trusted Root Certification Authorities' and then the certificates folder. The imported certificate should be present.
Test with your application.

I hope it helps

Thanks for the answer. I have it added to the 'Trusted Root Certification Authorities" and still getting the error — Eitan, Jul 23 '18 at 16:48

Could not create SSL/TLS secure channel. SecureChannelFailure

3 Answers3