4

We have a .Net 4 application which makes an https request to a third party server running Lotus-Domino. We are using the System.Net.WebRequest to make the request. When ServicePointManager.SecurityProtocol is set to the default, i.e. Tls | Ssl3, then the request fails. Specifically WebRequest.GetResponse throws the exception: WebException: "The request was aborted: Could not create SSL/TLS secure channel."

The code is as simple as this:

WebRequest request = WebRequest.Create("https://SOMEURLHERE");

using (HttpWebResponse response = (HttpWebResponse) request.GetResponse())
{
    using (StreamReader responseReader = new StreamReader(response.GetResponseStream()))
    {
          string responseTest = responseReader.ReadToEnd();
    }
}

Changing ServicePointManager.SecurityProtocol to Ssl3 allows the request to succeed. Using this as a fix presents some challenges. ServicePointManager.SecurityProtocol is static therefore changing it will change all requests in the application. This is something we don't want to do. Changing it and then resetting it back to the default after the request is undesirable because our application makes http requests from multiple treads, introducing a lock would effectively force us to run single threaded for the duration of a possibly lengthy web service call.

The third party Lotus-Domino server can't support TLS.

I have looked at the requests/responses in Wireshark however I not familiar with the protocols therefore I can't see anything meaningful, for me.

Not validating the certificate does not fix the problem, e.g. ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

I do see this response from the server: "SSLv3 Record Layer: Alert (Level: Fatal, Description: Close Notify)"

  1. Is there a way we can do can set the SecurityProtocol to Ssl3 for a single request?
  2. Is the something else we can do when SecurityProtocol = Tls | Ssl3 to allow the request work?
  3. Is there something I could tell our third party, running a Lotus-Domino server to perhaps address the connectivity issue on their side.
benwall
  • 41
  • 3
  • 1
    No code, no request/response sample, no link to some *real* server to test. How do you think we can help you blindly. – I4V Sep 20 '13 at 19:25
  • @I4V Please advise me one what else would be useful. I added the code. Its very simple. I have a lot of request/response data in WireSharke. Is there something particular I should post? If you had access could see the server what would you test? – benwall Sep 20 '13 at 19:51
  • As you said it's a 3rd party's server, I understand that this is not under your control. But just for the record I want to point out that that current version of Lotus Domino does support integration with an IBM HTTP server module that provides TLS connections. Info can be found in IBM doc here: http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/caa25dc9fd95076b85257b19005b3894 – Richard Schwartz Sep 20 '13 at 23:10
  • Question: are you sure that the issue isn't simply that the 3rd party's Domino server has a certificate that you can't validate? It seems to me that if delegate {return true} is working around the problem, that's probably your real issue. – Richard Schwartz Sep 20 '13 at 23:15
  • Richard, I made a typo responding to a previous suggestion. ServerCertificateValidationCallback to return true does **not** fix the problem. – benwall Sep 22 '13 at 04:21
  • 1
    possible duplicate of [Set the SecurityProtocol (Ssl3 or TLS) on the .net HttpWebRequest per request](http://stackoverflow.com/questions/3791629/set-the-securityprotocol-ssl3-or-tls-on-the-net-httpwebrequest-per-request) – stack247 Sep 28 '15 at 19:13

0 Answers0