7

A minimal, replicable working example under .NET 4.6.1,

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
WebRequest.Create("https://ir.netflix.com/").GetResponse();

produces the following WebException,

The request was aborted: Could not create SSL/TLS secure channel.

Just visiting the page myself, running openssl s_client -connect ir.netflix.com:443 -tls1_2, or going over the SSL Labs analysis summary suggest that the server is running proper TLS 1.2. HttpWebRequest does seem to work for TLS 1.2 some of the time (as suggested here),

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
WebRequest.Create("https://www.ssllabs.com:10303").GetResponse();

Disabling certificate validation using ServerCertificateValidationCallback (either globally or local to the request object) never invokes the callback; I suppose it never reaches this far,

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback =
    (sender, cert, chain, sslPolicyErrors) => true;

HttpWebRequest request = WebRequest.Create("https://ir.netflix.com/") as HttpWebRequest;
request.ServerCertificateValidationCallback =
    (sender, cert, chain, sslPolicyErrors) => true;
request.GetResponse();

Update: Going over the Wireshark dumps suggests common signature hash algorithms (SHA256 with RSA, SHA1 with RSA), and a common cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a). Besides the initial two "Client Hello" and "Server Hello, Certificate, Server Hello Done" packets, no further contact is made from the client.

Question: What could be the cause for this failure? Is there a way to access more debug information for the HttpWebRequest object?

(Disabling TLS 1.2 like this,

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
                                     | SecurityProtocolType.Tls11;
WebRequest.Create("https://ir.netflix.com/").GetResponse();

works, but is suboptimal, as it disables TLS 1.2 globally. There doesn't seem to be a setting that only disables TLS 1.2 for a single HttpWebRequest.)

Community
  • 1
  • 1
sshine
  • 15,635
  • 1
  • 41
  • 66
  • You will have to capture packets using Wireshark and then analyze the TLS handshakes. Only that can indicates why the connection is refused. – Lex Li Jul 13 '16 at 12:39
  • @LexLi: I'm not an expert at analysing [these dumps](https://gist.github.com/sshine/b534f45b50514abbd4cc99855e58811a), but it seems that there are common denominators in cipher suites and signature hashing algorithms. Is there a way to debug the HttpWebRequest object further? Any chance this has to do with root certificates? – sshine Jul 13 '16 at 13:20
  • 1
    As Wireshark is so famous and its design is so simple, you can easily make yourself a master, by following great guides such as https://wiki.wireshark.org/SSL (tons of others on Google). – Lex Li Jul 13 '16 at 13:25
  • Did you ever find a resolution? I'm experiencing the same issue. – dmeglio Jul 26 '17 at 19:21
  • Were you able to find a solution i am facing the same issue – kirushan Aug 23 '17 at 08:21
  • Hi did you find a solution?? – CABascourt Sep 07 '18 at 18:32
  • I didn't find a solution, and I'm not currently investigating. – sshine Sep 07 '18 at 22:08

0 Answers0