0

I have a .NET application that invokes a SOAP web service and it has been working for years but it stopped working few days ago after a Windows (Server 2012 R2) security update (there are many and I don't know which one). Microsoft has published some articles about the issue but all the described workarounds didn't work :

https://support.microsoft.com/en-us/help/3155464/ms16-065-description-of-the-tls-ssl-protocol-information-disclosure-vu

https://support.microsoft.com/en-us/help/3069494/cannot-connect-to-a-server-by-using-the-servicepointmanager-or-sslstre

The service that I'm invoking is using SSL3/TLS1.0 and the provider can't/wouldn't upgrade it to TLS1.2. Also I tested my application in old Windows 2008R2 that have no .NET4 updates and it worked as it did before.

My Code :

string url = "https://weblogic_server:7070/app/Service";
string text = "<soapenv:Envelope>...</soapenv:Envelope>";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) =>
{
    return true;
};
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
//ServicePointManager.Expect100Continue = false; // did nothing good
//ServicePointManager.UseNagleAlgorithm = false; // did nothing good
byte[] bytes = System.Text.Encoding.ASCII.GetBytes(text);
request.ContentType = "text/xml; encoding='utf-8'";
request.Timeout = 1000000000;
request.ContentLength = bytes.Length;
request.KeepAlive = true;
request.Method = "POST";
using (Stream stm = request.GetRequestStream()) // Exception
{
    using (StreamWriter stmw = new StreamWriter(stm))
    {
        stmw.Write(text);
    }
}
using (StreamReader responseReader = new StreamReader(request.GetResponse().GetResponseStream()))
{
    string resultText = responseReader.ReadToEnd();
    HttpWebResponse resp = (HttpWebResponse)request.GetResponse();
    Console.WriteLine(resp);
    Console.WriteLine(resultText);
}

The Exception code is :

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: The handshake failed due to an unexpected packet format.
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()

My question are :
- Is there any other way/workaround to get this invocation work, other than what's described in the articles ?
- The code works fine under .NET2.0 where .NET4.0 is not updated to the .NET4.6, is there a way to force the application to use a specific old System.dll (copied from Windows 2008R2 machine) ? I tried to add it as reference manually but the CLR always uses the GAC's one.
- Is it possible to overload HttpWebRequest and somehow force it to use SSL3 ?

Thanks.

Fourat
  • 2,366
  • 4
  • 38
  • 53
  • maybe silly but wont `servicepointmanager.securityprotocol = securityprotocoltype.tls12` solve the problem – Seabizkit Aug 24 '18 at 07:59
  • @Seabizkit it didn't :/ – Fourat Aug 24 '18 at 08:26
  • What is your project target framework? – Seabizkit Aug 24 '18 at 08:29
  • this may help a ton... please read all of it https://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5 – Seabizkit Aug 24 '18 at 08:35
  • @Seabizkit my client's production was stopped 5 days because of this, so trust me when I tell you I tried it all (and sure read that question and all of the answers). Most of the answers in that topic are written in 2015 and 2016. The system update that affected my solution was out in 2017 (few months after WannaCry). Also the WebServise provider I was dealing with wouldn't change his security protocol to TLS 1.2 and we were stuck with SSL3. So the only solution is to find a way to invoke that SOAP WS with SSL3 from a machine that uses the latest Windows updates, and no luck since then. – Fourat Aug 24 '18 at 08:59
  • leaving default and adding additional allowed, should solve it... but if you say its not then contact MS is your only option. – Seabizkit Aug 24 '18 at 09:01
  • So basically your saying that you have enabled all protocol as a test and it doesn't work? – Seabizkit Aug 24 '18 at 09:04
  • @Seabizkit yes even after I enabled all protocol it didn't solve (you can reproduce it if you have free time)... and we contacted MS in France and their answer was to ask the move away from SSL. The work around now is that they installed a linux VM with a Java program that is used as proxy/mirror. – Fourat Aug 24 '18 at 09:05

0 Answers0