C# SSL exception on Windows 7

Question

var httpClientHandler = new HttpClientHandler
{
    SslProtocols = SslProtocols.Tls12,
    ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; },
};

var httpClient = new HttpClient(httpClientHandler)
{
    BaseAddress = new Uri("https://api.myservice.com:4443"),
    Timeout = TimeSpan.FromSeconds(10),
};

var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"USER1:PASS1"));
httpClient.DefaultRequestHeaders.Add("Authorization", $"Basic {credentials}");

var result = await httpClient.PostAsync("/login", null);

MyApp.csproj

<PropertyGroup Condition="'$(Configuration)'=='Release' And '$(TargetFramework)'=='net5.0-windows' And '$(RuntimeIdentifier)'=='win-x86'">
    <OutputPath>..\..\release\</OutputPath>
    <AssemblyName>my-app</AssemblyName>
    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
    <AppendRuntimeIdentifierToOutputPath>false</AppendRuntimeIdentifierToOutputPath>
</PropertyGroup>

my-app.exe is x86 assembly with .NET 5.0
.NET 5.0 runtimes are installed (both x86 and x64)
.NET framework 4.8 is installed
KB3033929, KB3063858 and KB3140245 are installed
https://api.myservice.com:4443 supports TLS 1.2

it works with Win10 x64 but with Win7 Sp1 x64 it generates:

The SSL connection could not be established, see inner exception.

the inner exception is empty

I've already added these registry entries:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

TLS 1.1 is obsolete which is the default you added to registry. You do not need to change registry. Using following is equivalent : SslProtocols = SslProtocols.Tls12. The following is Net 4.0 v4.0.30319 which does not support the encryption modes for TLS 1.2. You need to use Net 4.7.2 or later which does TLS in operating system (not in Net). Open the csproj with notepad and make sure the option to use Net for TLS is disabled and Operating System (default) is used. Also check the target version of Net. — jdweng, Jul 30 '22 at 10:42
@jdweng I have already tried without SslProtocols=SslProtocols.Tls12 and without registry entries. Perhaps some windows updates are needed, I have already installed KB3033929 and KB3063858 — geek175, Jul 30 '22 at 13:13
It sounds like some windows updates in Win7 are missing that does TLS. Or the certificate is missing on Win7. — jdweng, Jul 30 '22 at 14:07
A Wireshark trace would be immensely useful in order to diagnose this. Have you applied the relevant update from https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392? Are you aware that Windows 7 is heavily out of date, and not receiving any security updates anymore? — Charlieface, Jul 31 '22 at 01:12
@Charlieface I have applied KB3140245 but the problem persists. — geek175, Aug 02 '22 at 08:31

score 0 · Accepted Answer · answered Aug 02 '22 at 11:25

the issue was fixed just by appending these lines to registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

RSA/SHA512
ECDSA/SHA512

the registry file to merge

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003]
"Functions"=hex(7):52,00,53,00,41,00,2f,00,53,00,48,00,41,00,32,00,35,00,36,00,\
  00,00,52,00,53,00,41,00,2f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,52,\
  00,53,00,41,00,2f,00,53,00,48,00,41,00,31,00,00,00,45,00,43,00,44,00,53,00,\
  41,00,2f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,45,00,43,00,44,00,53,\
  00,41,00,2f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,45,00,43,00,44,00,\
  53,00,41,00,2f,00,53,00,48,00,41,00,31,00,00,00,44,00,53,00,41,00,2f,00,53,\
  00,48,00,41,00,31,00,00,00,52,00,53,00,41,00,2f,00,53,00,48,00,41,00,35,00,\
  31,00,32,00,00,00,45,00,43,00,44,00,53,00,41,00,2f,00,53,00,48,00,41,00,35,\
  00,31,00,32,00,00,00,00,00
@="NCRYPT_SCHANNEL_SIGNATURE_INTERFACE"

check out this answer https://stackoverflow.com/a/54523827/14953032

C# SSL exception on Windows 7

1 Answers1