-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
system.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception in windows IIS server #33708
Comments
This error is typical when there is a TLS handshake error with HTTPS in Windows. A common cause of this is when the client and server are unable to negotiate a cipher suite. A way to diagnose this is to look at the list of cipher suites supported by Windows. This can vary by Windows operating system, patches installed, and exact configuration. Use this list for the client, that is, where the program is running. The next step is to compare that list to the cipher suites supported by the server, or that HTTPS URL your program is connecting to. If that server is publicly available on the internet, you can use something like https://www.ssllabs.com/ssltest/ to "scan" the server and get a list of supported cipher suites. If the lists have no cipher suite in common, then this kind of error will occur. /cc @wfurt |
What versions of OS and .NET do you use? The linked post has ServicePointManager. That does not do anything on .NET Core. If you use |
The server is Windows server 2012. This is not working on only this OS server. But this API is working fine on localhost and AWS(Windos 10 OS) server. |
Can you do packet capture? I think @vcsjones may be right that there is protocol or cipher mismatch e.g. server require something client cannot do. You would see that from Client & Server Hello. You can also look at https://support.microsoft.com/en-in/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi and make sure TLS1.2 is enabled. This become expected standard and many sites are cutting support for older versions. |
How to check TLS 1.2 is enabled or not ? |
You can check something like for server https://www.ssllabs.com/ssltest/ and https://browserleaks.com/ssl for client approximation. To see what Clint ism really sending Wireshark is certainly best. (the set may be different for various reasons) |
Are you sure ? This is the TLS 1.2 issue. And yes how to easily set or enable that on server. |
I don't understand your comment. If you do and post packet capture (https://www.wireshark.org/download.html) we would know for sure. It is hard to advise without seeing the actual cryptographic exchange. The link you posted show support all the way to (insecure) SSLv3 so it may not be. That is just guess. I also noticed that in linked post you claim .NET 2.0. That is long out of support with many bugs. If that is the case, give it try with 3.1. |
I am already tested with .NET core 3.1. That is give same error. |
did you get the packet capture @akashlimbani ? |
Triage: Needs more info to make progress. Closing for now, feel free to re-open if you can provide more details. |
I think I have the same issue. namespace HttpsTest.Controllers
{
[ApiController]
[Route("test")]
public class WeatherForecastController : ControllerBase
{
private readonly IHttpClientFactory _factory;
public WeatherForecastController(IHttpClientFactory factory)
{
_factory = factory;
}
[HttpGet]
public async Task<string> Get()
{
var client = _factory.CreateClient();
var response = await client.GetAsync("https://ibt.org.il/images/gpsfiles/masada-neve_zohar.gpx");
return await response.Content.ReadAsStringAsync();
}
}
} When running on my machine (win 10) everything is working as expected. The following is the error I'm getting in the console of the web api process:
Let me know if there's anything I can do to help with this. it is driving me crazy... :-( |
can you post Wireshark packet captures for both cases @HarelM. Is your 2012 machine capable of negotiating TLS 1.2? It seems like that is only thing ibt.org.il will allow. https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 |
wow, thanks for the super quick response! |
The problem is that Fiddler sometimes has impact on the behavior so I tend not to trust it complete. Also the request can indicate other versions client is willing to talk besides the one in ClientHello header. Quick search did not give me definitive answer but it is possible that Firefox and Chrome may have their own TLS implementation and therefore be independent of OS setting. Can you connect with IE/Edge? |
I took another look and it seems like that particular site really only supports 3 particular suites:
That is not on list of OS supported ciphers for Windows 2012 server or Windows 8.1 I think @vcsjones hit something similar but I don't know if there is any solution. (besides running on top of OpenSSL or other crypto stack) .NET depends on Schannel and OS capabilities. |
Yeah. This is exactly what I hit. SChannel on 2012 / 2012R2 curiously cannot do RSA + ECDHE + AES-GCM (nor CHACHA). The solution for us was to move to Windows Server 2019, but 2016 would work as well. If you have any influence on the server's supported cipher suites, you can still use AES-GCM with RSA+DHE, and ECDSA+ECDHE. If you prefer/must using RSA+ECDHE, then the best symmetric cipher that would work for 2012R2 as a client is AES-CBC. The SSLLabs scan also confirms this behavior - it is unable to negotiate a handshake on "IE 11 / Win 8.1" for this site - which is basically just the client SKU of 2012R2. The best solution is to move to a new version of Windows Server. |
Nope, this is another issue not related to this one. I have deleted my not relevant comment... |
On Windows, TLS13 currently works only in 5.0 preview builds @JudahGabriel. I think it is up to the server owner to decide security policy. Forcing only 1.3 certainly decrease Interop. On Windows, TLS 1.3 requires to use new(ish) API and that is only on recent builds. Also versions where TLS1.3 is supposed are somewhat limited. (there were some early versions guarded by opt-in registry key) |
Thanks. It turns out the issue was that the site was using CloudFlare, and the owner of the site changed his CloudFlare settings to only serve TLS 1.3. Serving an earlier version fixed his issue. |
The text was updated successfully, but these errors were encountered: