system.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception in windows IIS server

[akashlimbani]

[akashlimbani]

https://stackoverflow.com/questions/60667232/message-the-ssl-connection-could-not-be-established-see-inner-exception

[vcsjones]

The message received was unexpected or badly formatted.

This error is typical when there is a TLS handshake error with HTTPS in Windows. A common cause of this is when the client and server are unable to negotiate a cipher suite.

A way to diagnose this is to look at the list of cipher suites supported by Windows. This can vary by Windows operating system, patches installed, and exact configuration. Use this list for the client, that is, where the program is running.

The next step is to compare that list to the cipher suites supported by the server, or that HTTPS URL your program is connecting to. If that server is publicly available on the internet, you can use something like https://www.ssllabs.com/ssltest/ to "scan" the server and get a list of supported cipher suites. If the lists have no cipher suite in common, then this kind of error will occur.

/cc @wfurt

[wfurt]

What versions of OS and .NET do you use? The linked post has ServicePointManager. That does not do anything on .NET Core. If you use curl, you can pass -v and that should show some info about the certificates.

[akashlimbani]

The server is Windows server 2012. This is not working on only this OS server. But this API is working fine on localhost and AWS(Windos 10 OS) server.

[wfurt]

Can you do packet capture? I think @vcsjones may be right that there is protocol or cipher mismatch e.g. server require something client cannot do. You would see that from Client & Server Hello.

You can also look at https://support.microsoft.com/en-in/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi and make sure TLS1.2 is enabled. This become expected standard and many sites are cutting support for older versions.

[akashlimbani]

How to check TLS 1.2 is enabled or not ?

[wfurt]

You can check something like for server https://www.ssllabs.com/ssltest/ and https://browserleaks.com/ssl for client approximation. To see what Clint ism really sending Wireshark is certainly best. (the set may be different for various reasons)

[akashlimbani]

Are you sure ? This is the TLS 1.2 issue. And yes how to easily set or enable that on server.
This is the url of testing SSL or TLS : https://www.ssllabs.com/ssltest/analyze.html?d=sexypvt.wp8my.com
Please check that for me. Because I have not good knowledge about that. Please help me for that. I try to solve that issue last one week.

[wfurt]

I don't understand your comment. If you do and post packet capture (https://www.wireshark.org/download.html) we would know for sure. It is hard to advise without seeing the actual cryptographic exchange. The link you posted show support all the way to (insecure) SSLv3 so it may not be. That is just guess.

I also noticed that in linked post you claim .NET 2.0. That is long out of support with many bugs. If that is the case, give it try with 3.1.

[akashlimbani]

[akashlimbani]

I am already tested with .NET core 3.1. That is give same error.

[wfurt]

did you get the packet capture @akashlimbani ?

[alnikola]

Triage: Needs more info to make progress. Closing for now, feel free to re-open if you can provide more details.

[HarelM]

I think I have the same issue.
I'm trying to get a file from here:
https://ibt.org.il/images/gpsfiles/masada-neve_zohar.gpx
I've analysed the site using the following address.
https://www.ssllabs.com/ssltest/analyze.html?d=ibt.org.il
I'm using the default .net core 3.1 template with the following code in the controller:

namespace HttpsTest.Controllers
{
    [ApiController]
    [Route("test")]
    public class WeatherForecastController : ControllerBase
    {
        private readonly IHttpClientFactory _factory;

        public WeatherForecastController(IHttpClientFactory factory)
        {
            _factory = factory;
        }

        [HttpGet]
        public async Task<string> Get()
        {
            var client = _factory.CreateClient();
            var response = await client.GetAsync("https://ibt.org.il/images/gpsfiles/masada-neve_zohar.gpx");
            return await response.Content.ReadAsStringAsync();
        }
    }
}

When running on my machine (win 10) everything is working as expected.
But this fails when running on windows server 2012.
I've looked in fiddler a bit to understand why it works in firefox and chorme but not in my c# code.
Below is the capture of the requests, the middle one (out of 3) is the one from c#, first one is FF, last one is Chrome.
requests.txt

The following is the error I'm getting in the console of the web api process:

      Connection id "0HM0IUEBHD4FR", Request id "0HM0IUEBHD4FR:00000001": An unhandled exception was thrown by the appli
cation.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted.
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, E
xceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRe
quest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRe
quest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncR
equest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToke
n)
   at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOpti
ons, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_0(SslClientAuthenticationOptions arg1, Cancella
tionToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 e
ndAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg
2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg
2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOpti
ons, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOpt
ions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOpt
ions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken
cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp2ConnectionAsync(HttpRequestMessage request, CancellationToken cancellat
ionToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, Cancellat
ionToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenS
ource cts, Boolean disposeCts)
   at HttpsTest.Controllers.WeatherForecastController.Get() in C:\Users\harel\source\repos\HttpsTest\HttpsTest\Controlle
rs\WeatherForecastController.cs:line 33
   at lambda_method(Closure , Object )
   at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTy
peMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(Controlle
rActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(Contr
ollerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boo
lean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(Controller
ActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker
 invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task
 task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTas
k, ILogger logger)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 a
pplication)

Let me know if there's anything I can do to help with this. it is driving me crazy... :-(

[wfurt]

can you post Wireshark packet captures for both cases @HarelM. Is your 2012 machine capable of negotiating TLS 1.2? It seems like that is only thing ibt.org.il will allow.

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2

[HarelM]

wow, thanks for the super quick response!
Isn't the fiddler text file enough? Wireshark gives me a headache... :-(
It seems that the secure protocols registry was 0, I've installed the easy fix and now its a80.
Without restating the server this doesn't work. I'm not sure when I'll be able to restart the machine as it is a production server people are using...

[wfurt]

The problem is that Fiddler sometimes has impact on the behavior so I tend not to trust it complete. Also the request can indicate other versions client is willing to talk besides the one in ClientHello header.
When you do packet capture, make sure you use filters: in this case host ibt.org.il. (you can see too much otherwise)
Generally what you want to see is TLS 1.2 hello with cipher matching what server is willing to negotiate.

Quick search did not give me definitive answer but it is possible that Firefox and Chrome may have their own TLS implementation and therefore be independent of OS setting. Can you connect with IE/Edge?

[HarelM]

Only internet explorer 10 is installed there and it give the following error:

I'll install wirehark tomorrow after a good night sleep...

[wfurt]

I took another look and it seems like that particular site really only supports 3 particular suites:

       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A

That is not on list of OS supported ciphers for Windows 2012 server or Windows 8.1
https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1

I think @vcsjones hit something similar but I don't know if there is any solution. (besides running on top of OpenSSL or other crypto stack) .NET depends on Schannel and OS capabilities.

[vcsjones]

I think @vcsjones hit something similar

Yeah. This is exactly what I hit. SChannel on 2012 / 2012R2 curiously cannot do RSA + ECDHE + AES-GCM (nor CHACHA).

The solution for us was to move to Windows Server 2019, but 2016 would work as well.

If you have any influence on the server's supported cipher suites, you can still use AES-GCM with RSA+DHE, and ECDSA+ECDHE. If you prefer/must using RSA+ECDHE, then the best symmetric cipher that would work for 2012R2 as a client is AES-CBC.

The SSLLabs scan also confirms this behavior - it is unable to negotiate a handshake on "IE 11 / Win 8.1" for this site - which is basically just the client SKU of 2012R2.

The best solution is to move to a new version of Windows Server.

[HarelM]

Nope, this is another issue not related to this one. I have deleted my not relevant comment...

[wfurt]

On Windows, TLS13 currently works only in 5.0 preview builds @JudahGabriel. I think it is up to the server owner to decide security policy. Forcing only 1.3 certainly decrease Interop. On Windows, TLS 1.3 requires to use new(ish) API and that is only on recent builds. Also versions where TLS1.3 is supposed are somewhat limited. (there were some early versions guarded by opt-in registry key)

[JudahGabriel]

Thanks. It turns out the issue was that the site was using CloudFlare, and the owner of the site changed his CloudFlare settings to only serve TLS 1.3. Serving an earlier version fixed his issue.