HttpWebResponse: Could not create SSL/TLS secure channel

Trumf · February 26, 2020, 10:22pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.perera.dk/webmail.perera.dk

I ran this command: HttpWebRequest

It produced this output: The request was aborted: Could not create SSL/TLS secure channel.

My web server is (include version): Ubuntu 14.04.5

The operating system my web server runs on is (include version): Ubuntu 14.04.5

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no im using SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): /opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
certbot 1.2.0

Hi,
I did something while trying to update the server but im not sure what exately i did that made this mess.

I have another server (Win) with some homemade software that checks if my sites are online and alive.
Basically i do this (C#):
HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(url);
HttpWebResponse response = null;
try
{
response = (HttpWebResponse)webRequest.GetResponse();
}
catch (WebException we)
{
//send mail with failing url
}

for the domains that i have renewed since the problem started i get an error from the HttpWebRequest but not for domains that are renewed before.
mail.perera.dk fails but webmail.perera.dk is fine.
Both domains passes with bravour on online ssl checkers.

The error is most likely (99%) because my software is not able to determine what ssl/tsl version it shall agree on with the server, so i dont think there is anything wrong with LE. However i think there is a setting or something i have messed up. Could someone please help me fix what i have messed up so that i can keep on checking if my domains are alive?

Thanks in advance
Trumf

JuergenAuer · February 26, 2020, 11:00pm

Hi @Trumf

checking your two domains there is the expected result.

The first - https://check-your-website.server-daten.de/?q=mail.perera.dk#connections

Tls.1.0 and 1.1 are deactivated.

The second - https://check-your-website.server-daten.de/?q=webmail.perera.dk#connections

Tls.1.0 and 1.1 are active.

But if your machine with the running HttpWebRequest isn't new, .NET uses Tls.1.0.

First domain -> doesn't work. Second -> works.

Add something like

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 Or SecurityProtocolType.Tls11 Or SecurityProtocolType.Tls

so your code uses Tls.1.2 to connect.

Trumf · February 27, 2020, 7:43am

Hi JuergenAuer

You are brilliant

Now that i know the problem I can concentrate on the solution. But first i would like to know.
Will there be someone (important) out there that is not up to TLS1.2 and won’t be able to send mail to mydomains that has 1.0 and 1.1 disabled?
Where do i enable 1.0 and 1.1?
What is the recomendation to have enabled/disabled?

In /etc/letsencrypt/options-ssl-apache.conf i have:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
But it seems there is some domain specific rules that override this somewhere.

As for the solution to have my alive checker to work. I have tried all possibilities with ServicePointManager.SecurityProtocol but that didn’t help so there must be some other .NET “setting” that have to be set…
I read somewhere that it is best not to set ServicePointManager.SecurityProtocol and let .NET and the server find out what to use.

Thanks a lot so far. I have really been worried that i was missing out on some mails and this is a production server.

/Trumf

JuergenAuer · February 27, 2020, 9:19am

That's

correct, but then you have to change your client configuration with a Registry entry.

Check Microsoft, there are a lot of documents with that topic and the problems.

Trumf · February 27, 2020, 6:50pm

@JuergenAuer

I have tried to replace “SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1” with “SSLProtocol all” in /etc/letsencrypt/options-ssl-apache.conf which should result in solving the problem temporarily, but nothing changes. Same error!
I know this is stupid and i have changed i back. It was just for test.

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol all
#SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite …removed…
SSLHonorCipherOrder off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

system · March 28, 2020, 7:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.