0

Some times we receive the error "The request was aborted: Could not create SSL/TLS secure channel.." I tried to investigate this issue, and the trace log I got for this is:

System.Net Information: 0 : [4356] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=**BufferNotEnough**).
System.Net Error: 0 : [4356] Exception in HttpWebRequest#37434592:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [4356] Exception in HttpWebRequest#37434592::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

What does it mean BufferNotEnough for this case?

Thanks.

Juan Serrats
  • 1,358
  • 5
  • 24
  • 30
hifishka
  • 1
  • 1
  • Let me guess - unsupported .NET version (< 4.5.2) and the provider demands TLS1.2. TLS 1.2 was added in 4.5.2, the earliest supported version. If that's the case, you'll have to upgrade – Panagiotis Kanavos Mar 31 '17 at 14:29
  • What .NET runtime are you using? What type of SSL? TLS1.1? TLS1.2? Jan's answer may or may not apply to this – Panagiotis Kanavos Apr 03 '17 at 07:40

1 Answers1

2

This seems to be a bug in HttpWebRequest in .NET 4.6.1 - see https://connect.microsoft.com/VisualStudio/feedback/details/2777134/tls-1-2-handshake-error

Jan V.
  • 106
  • 5
  • Not really - maybe in some limited scenario, for specific OS versions. It works OK for everyone else. A *lot* of providers started demanding TLS1.2 since 2015, which is supported in .NET 4.5.2 and later. A lot of people would have noticed if there was an actual problem – Panagiotis Kanavos Mar 31 '17 at 14:25
  • From my experience (with .Net 4.6.1 web app) even if we specify TLS 1.2, this issue still happens about 1% of the time when trying to connect to certain http servers. – Jan V. Apr 01 '17 at 18:02
  • This question [DHE_RSA Pubkey Length in TLS 1.2?](https://security.stackexchange.com/questions/104845/dhe-rsa-pubkey-length-in-tls-1-2) narrows the problem down to the SCHANNEL implementation. It's still risky to say this is the problem though, since the OP hasn't provide the runtime and TLS version. – Panagiotis Kanavos Apr 03 '17 at 07:39
  • Do you have an example of such servers? It would be interesting to check whether 4.6.2 solves the problem, if there are client-side workarounds – Panagiotis Kanavos Apr 03 '17 at 07:42
  • Yes I have examples. (I can share parts of our system.net diagnostics traces, if you want.) Our server is running Windows 2012 R2 and the troublesome receiving http server is running IIS 7.5 (according to the http headers we received) - which implies Windows 2008 server. FYI - here is a part of header I see in trace logs: access-control-allow-headers: content-type X-UA-Compatible: IE=IE8 Content-Length: 0 Cache-Control: private Date: Tue, 28 Mar 2017 14:35:01 GMT Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET – Jan V. Apr 04 '17 at 16:32
  • Note that sometimes I see the failure to create SSL/TLS secure channel is due to **MessageAltered**. This is at least what the system.net traces show : InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=**MessageAltered**). This error is being discussed at https://stackoverflow.com/questions/39633581/random-the-request-was-aborted-could-not-create-ssl-tls-secure-channel-returne – Jan V. Apr 04 '17 at 16:40