3

I can no longer download a publicly available file using c# WebClient.DownloadFile() or HttpClient.ReadAsStreamAsync(). I can manually download using Chrome or Firefox.

The website upgraded to TLS 1.3 and my program was previously working with TLS 1.2. The first error returned was "Can't establish SSL/TLS secure channel". TLS 1.3 was not a defined enum in .Net so I upgraded from .Net v4.78 to v4.80 to specify the TLS 1.3 protocol for ServicePointManager.SecurityProtocol and HttpHandler.SslProtocols (for HttpClient). That action got past the secure channel error and now I'm stuck at the common algorithm error.

Chrome shows the site uses TLS 1.3 and X25519, and AES_128_GCM. My understanding is X25519 is the key exchange and the algorithm is AES_128_GCM. I ran the PowerShell command "get-TlsCipherSuite" and it shows the Ciphers TLS_AES_256_GCM_SHA384 first followed by TLS_AES_128_GCM_SHA256. These are the only 2 ciphers for protocol 772 and are enabled by default in Windows 10 now. I believe this decimal number indicates TLS 1.3 (0x0304). The website is powered by Apache and the certificate shows algorithm SHA256RSA.

J Reynolds
  • 33
  • 1
  • 5
  • 2
    *"The website is powered by Apache and the certificate shows algorithm SHA256RSA."* - this says nothing about the ciphers supported by the server. Have a look at the [SSLLabs report](https://www.ssllabs.com/ssltest/analyze.html) of your site to check which TLS 1.3 ciphers are actually supported by the server and how they match what is [supported by windows](https://www.microsoft.com/security/blog/2020/08/20/taking-transport-layer-security-tls-to-the-next-level-with-tls-1-3/). – Steffen Ullrich Sep 22 '20 at 05:34
  • 1
    Thank you Steffen - SSLLabs report is awesome! The server supports all 3 ciphers for 1.3 (no preference), and Microsoft supports 2. TLS_CHACHA20_POLY1305_SHA256 is disabled by default. I don't know how to proceed as both client & server appear to have common algorithms, contrary to the error. Oddly, if I force TLS 1.2, I cannot establish a secure channel although client & server supports it. My code runs in Azure and fails there as well as my local Windows 10 Pro machine. MS updated my local machine with KB4571756 & KB4576478 back to back. The problem started after those updates. – J Reynolds Sep 23 '20 at 14:54
  • Hard to tell what happened. A packet capture (tcpdump, wireshark...) might be useful to analyze the problem. – Steffen Ullrich Sep 23 '20 at 15:00

0 Answers0