.Net 4: Could not create SSL/TLS secure channel

Help
1

Hello,

From my windows 7 machine, using a .net 4/4.5/4.7 framework webclient call to my website throws an error:
The request was aborted: Could not create SSL/TLS secure channel

From what I understand from looking at various posts, it's because of a mismatch between supported cypher suites on the server and on my machine.

I run the following scan to identify which ciphers are supported by the server
https://www.ssllabs.com/ssltest/analyze.html?d=www.abc-roster.com&hideResults=on

cyphersuites
cyphersuites899×371 20.1 KB

None of the 3 TLS 1.2 cyphers match the ones supported on my machine
(located in windows registry
HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Question: How do I generate a letsencrypt certificate which will work on most machines? On direct admin, I can only choose keysize and certificate type

Thank you

My domain is: www.abc-roster.com

I ran this command:

 ServicePointManager.Expect100Continue = true;
 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

System.Net.WebClient webClient = CreateWebClient();
webClient.OpenReadCompleted += webClient_OpenReadCompleted;
webClient.OpenReadAsync(new Uri("http://abc-roster.com/test"), callback);

It produced this output:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: x10hosting.com

I can login to a root shell on my machine: no

I'm using a control panel to manage my site: Direct Admin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

The cipher suits used are not determined by the certificate, except perhaps the RSA versus ECDSA part in the TLS 1.2 and older suits.

1 Like
3

Hi @davidb001

you have to install / allow more cipher suites.

Your configuration is too restrictive.

RSA + older Windows -> CBC is required.

Or switch to an EC certificate (that's what I use - see check-your-website.server-daten.de and check the cipher suites).

Windows has some EC GCM cipher suites.

1 Like
4

Thank you for your quick reply @Osiris @JuergenAuer I am using a web hosting provider, so I do not have control over anything to install ciphers. The only thing I can change is the kind of letsencrypt certificate (SHA1/SHA256, along with key size).

Does it mean I have to look for a new hosting provider with more cipher suites supported?

Thanks

1 Like
5

Please read more carefully:

Currently, you're using a RSA certificate, which limits your TLS 1.2 cipher suits to TLS_..._RSA_... variants. Now, if you'd generate an ECDSA certificate...... You do the math :wink:

It's funny by the way how very different the website of your hosting provider itself is configured:

https://www.ssllabs.com/ssltest/analyze.html?d=x10hosting.com&latest

2 Likes
6

It's your webserver configuration you have to change, not your client configuration.

Your webserver is a Litespeed + PHP. So if it's Linux, you should be able to create an EC certificate.

1 Like
7

Ok, but the thing is I do not know how to change the certificate type from RSA to ECDSA from Direct Admin. Or do I misunderstand what you are saying?

Indeed, my provider seems to have a lot more cipher suites enabled...

8

Well, I don't even know if DirectAdmin is able to issue ECDSA certificates.. All I know it's technically possible with Let's Encrypt :slight_smile:

If you're that limited by your hosting provider, you might be better off asking them how to fix this.

1 Like
10

I'm not sure if I have access to tools to generate certificates, I'll check with my hosting provider. Thank you and @Osiris

1 Like
11

It's probably not relevant but your initial code sample only tries to use http, you then have an automatic redirect to your (non-www) domain. If you initially didn't have all the alternative domain variants in your certificate then your request to the redirect would fail because the hostname wouldn't match the cert.

You should also try a more permissive client connection:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
1 Like
12

Hello @webprofusion ,

Sorry, my actual code connects to https but I made a mistake while typing the post.

And I've already tried the piece of code you indicated (it did not work), but I do not think it's relevant anyway since on the server end only TLS 1.2 and 1.3 are supported (and .net 4.0-4.7 only support tls 1, 1.1 and 1.2)

13

The main problem is Window 7 is too old to support current TLS standards but you should maybe check stack overflow instead.

.net 4.7 supports whatever the OS supports even if you don't specify it in code, https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

Your server supports tls 1.3 or 1.2 with EC certs, which is pretty locked down really. You could proxy through something else if you had to.

14

I already had a look at stackoverflow before posting, hence how I found that the problem was a mismatch between supported ciphers client/server side. The problem is that I am distributing a .Net app that must also support Windows 7, as not everyone has migrated to windows 10. So from what I understand here, either I can proxy the server as you suggested, or get another certificate of ecdsa type

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.