0

Please read the full text below. I tried all usual solutions to this problem.

So, my .Net 4.5 app running successfully has been fetching data from a url for a good amount of time. But it suddenly started failing with the above cited error:

HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

Here's the sample C# code with which I was able to reproduce the error:

    ServicePointManager.Expect100Continue = true;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11;
    ServicePointManager.DefaultConnectionLimit = 9999;

    ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
    {
        return (true);
    };

    var authHeaderValue = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(string.Format("{0}:{1}", "username", "password")));

    var request = (HttpWebRequest) HttpWebRequest.Create("url-here");
    request.Method = "GET";
    request.Headers.Add("Authorization: Basic " + authHeaderValue);

    using (HttpWebResponse response = (HttpWebResponse) request.GetResponse())
    {
        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        var s = reader.ReadToEnd();
        reader.Close();
        dataStream.Close();

        Console.WriteLine(s);
    }

As you can see, all usual solutions of setting values on ServicePointManager / ignoring certificate errors have been tried above. I still get the error and the ServerCertificateValidationCallback is not even hit.

I used Fiddler with HTTPS decryption on and Fiddler gave me this error instead:

System.Security.Authentication.AuthenticationException : A call to SSPI failed, see inner exception. ----> System.ComponentModel.Win32Exception : The message received was unexpected or badly formatted

I went to Tracing (https://stackoverflow.com/a/12327881/12484) and here is the trace file output:

System.Net Information: 0 : [13160] Current OS installation type is 'Client'.
System.Net Verbose: 0 : [13160] WebRequest::Create(url-here)
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::HttpWebRequest(url-here)
System.Net Information: 0 : [13160] RAS supported: True
System.Net Verbose: 0 : [13160] Exiting HttpWebRequest#687191::HttpWebRequest() 
System.Net Verbose: 0 : [13160] Exiting WebRequest::Create()    -> HttpWebRequest#687191
System.Net Verbose: 0 : [13160] HttpWebRequest#687191::GetResponse()
System.Net Verbose: 0 : [13160] ServicePoint#49385318::ServicePoint(domain-here:443)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ServicePoint#49385318
System.Net Information: 0 : [13160] Associating Connection#7746814 with HttpWebRequest#687191
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Socket(AddressFamily#2)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Socket() 
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Socket(AddressFamily#23)
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Socket() 
System.Net.Sockets Verbose: 0 : [13160] DNS::TryInternalResolve(domain-here)
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Connect(server-ip-here:443#1466373584)
System.Net.Sockets Information: 0 : [13160] Socket#13062350 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Connect() 
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Close()
System.Net.Sockets Verbose: 0 : [13160] Socket#50934842::Dispose()
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#50934842::Close() 
System.Net Information: 0 : [13160] Connection#7746814 - Created connection from client-ip-here:11043 to server-ip-here:443.
System.Net Information: 0 : [13160] TlsStream#10366524::.ctor(host=domain-here, #certs=0)
System.Net Information: 0 : [13160] Associating HttpWebRequest#687191 with ConnectStream#63840421
System.Net Information: 0 : [13160] HttpWebRequest#687191 - Request: GET relative-url-here HTTP/1.1

System.Net Information: 0 : [13160] ConnectStream#63840421 - Sending headers
{
Authorization: Basic credentials-here
Host: domain-here
Connection: Keep-Alive
}.
System.Net Information: 0 : [13160] SecureChannel#54246671::.ctor(hostname=domain-here, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [13160] Enumerating security packages:
System.Net Information: 0 : [13160]     Negotiate
System.Net Information: 0 : [13160]     NegoExtender
System.Net Information: 0 : [13160]     Kerberos
System.Net Information: 0 : [13160]     NTLM
System.Net Information: 0 : [13160]     Schannel
System.Net Information: 0 : [13160]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [13160]     WDigest
System.Net Information: 0 : [13160]     TSSSP
System.Net Information: 0 : [13160]     pku2u
System.Net Information: 0 : [13160]     CREDSSP
System.Net Information: 0 : [13160] SecureChannel#54246671 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [13160] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=184, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Send()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Send
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 16 03 03 00 B3 01 00 00-AF 03 03 5E D9 42 A7 54 : ...........^.B.T
System.Net.Sockets Verbose: 0 : [13160] 00000010 : CD 34 00 7C 31 C9 2F 75-E7 DE A6 9E E8 D7 B5 74 : .4.|1./u.......t
System.Net.Sockets Verbose: 0 : [13160] 00000020 : 3C CB 7E B3 84 D8 1A 22-69 79 B3 00 00 38 C0 28 : <.~...."iy...8.(
System.Net.Sockets Verbose: 0 : [13160] 00000030 : C0 27 C0 14 C0 13 00 9F-00 9E 00 39 00 33 00 9D : .'.........9.3..
System.Net.Sockets Verbose: 0 : [13160] 00000040 : 00 9C 00 3D 00 3C 00 35-00 2F C0 2C C0 2B C0 24 : ...=.<.5./.,.+.$
System.Net.Sockets Verbose: 0 : [13160] 00000050 : C0 23 C0 0A C0 09 00 6A-00 40 00 38 00 32 00 0A : .#.....j.@.8.2..
System.Net.Sockets Verbose: 0 : [13160] 00000060 : 00 13 00 05 00 04 01 00-00 4E 00 00 00 19 00 17 : .........N......
System.Net.Sockets Verbose: 0 : [13160] 00000070 : 00 00 14 61 6D 61 74 72-61 76 65 6C 2E 74 73 74 : ...domain-here
System.Net.Sockets Verbose: 0 : [13160] 00000080 : 6C 6C 63 2E 6E 65 74 00-0A 00 06 00 04 00 17 00 : domain-here.........
System.Net.Sockets Verbose: 0 : [13160] 00000090 : 18 00 0B 00 02 01 00 00-0D 00 14 00 12 06 01 06 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000A0 : 03 04 01 05 01 02 01 04-03 05 03 02 03 02 02 00 : ................
System.Net.Sockets Verbose: 0 : [13160] 000000B0 : 17 00 00 FF 01 00 01 00-                        : ........
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Send()     -> Int32#184
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000000 : 15 03 03 00 02                                  : .....
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Receive()
System.Net.Sockets Verbose: 0 : [13160] Data from Socket#13062350::Receive
System.Net.Sockets Verbose: 0 : [13160] 00000005 : 02 28                                           : .(
System.Net.Sockets Verbose: 0 : [13160] Exiting Socket#13062350::Receive()  -> Int32#2
System.Net Information: 0 : [13160] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 51ccc0:5827200, targetName = domain-here, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [13160] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net.Sockets Verbose: 0 : [13160] Socket#13062350::Dispose()
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [13160] Exception in HttpWebRequest#687191::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..

I replaced my server and client sensitive information in the trace above (anything ending with -here) but the other trace information is intact.

I still can't figure out what is wrong in the Trace and why this one url (with HTTPS) won't open with my .Net code.

Can someone please help me troubleshooting this?

r_honey
  • 883
  • 4
  • 15
  • 31

1 Answers1

2

The debug information contain the ClientHello send by the client in the TLS handshake. Based on this the server is amatravel.tstllc.net which according to SSLLabs supports the following very few ciphers:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)         ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)         ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 256

All these ciphers start with TLS_ECDHE_RSA_, i.e. the RSA certificate with ECDHE key exchange. But decoding your ClientHello shows that the client only announces support for the following ciphers:

        Cipher Suites (28 suites)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

A quick view will see that none of the 4 ciphers starting with TLS_ECDHE_RSA_ matches a cipher supported by the server. Therefore the handshake will fail because of no shared ciphers.

But it suddenly started failing ...

Assuming that no changes were done to your application it is likely that changes were done to the server. The cipher set supported by the server is very small so maybe someone tried to harden the server while not being aware that some clients don't support any of these few ciphers.

But the cipher set supported by your client is also strange. While you support TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 you don't support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, i.e. same cipher but used with RSA certificates instead of ECC certificates. And the latter cipher would have been actually supported by the server.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks a lot @SteffenUllrich for that detailed and informative response and for taking time out to research the reasons. This has certainly been very helpful. I am guessing you figured the domain out from the Hex codes, as otherwise I removed the references to it. – r_honey Jun 05 '20 at 08:52
  • And yes, the server was hardened. I am trying to work with server admins to come to atleast one common cipher. BTW, our client is .NET 4.5 on Windows Server 2012/Win 7. I would have expected atleast one common Cipher but we are also trying to work with our server team to see if they can upgrade or support the other server's ciphers. – r_honey Jun 05 '20 at 08:53
  • @r_honey: *"I am guessing you figured the domain out from the Hex codes..."* - exactly. But the actual domain was needed to understand the problem. – Steffen Ullrich Jun 05 '20 at 11:24
  • Yupp I understand that. I was in too minds whether to leave the server domain or remove it. And decided to remove references to it thinking will share only if explicitly asked. But forgot to check the Hex codes. Anyways, the information you provided was very helpful and we have been able to work with server teams on both ends to have them arrive at common ciphers. Thanks again. – r_honey Jun 05 '20 at 17:37