question

70576398 avatar image
0 Votes"
70576398 asked VitoProcino-4399 answered

The request was aborted: Could not create SSL/TLS secure channel Error

We are having this error when run to Web API. We already upgraded .NET Framework to 4.8v on Windows Server 2012 R2. Check TLs 1.2 is enabled.
196191-tls12-reg1.jpg


windows-server-iisdotnet-entity-framework
tls12-reg1.jpg (11.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VitoProcino-4399 avatar image
0 Votes"
VitoProcino-4399 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

70576398 avatar image
0 Votes"
70576398 answered

Already check this article for Windows 2012 R2, and set all TLS registry values.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VitoProcino-4399 avatar image
0 Votes"
VitoProcino-4399 answered

Official ms guide and kb to upgrade .net 4.x has a note:
you must install .net rule to IIS, and then apply upgrade/fix/kb.

So your problem is that tls dont work? Can you post event error please?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

70576398 avatar image
0 Votes"
70576398 answered

Still getting "The request was aborted: Could not create SSL/TLS secure channel Error". Just edit couple registry settings for TLs, but need reboot. Will try again after reboot. (not available to reboot yet.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VitoProcino-4399 avatar image
0 Votes"
VitoProcino-4399 answered

Web api is on iis server windows 2012 r2 or you can start query from another system to windows 2012 r2?

Check IIS security to use ssl/tls auth and browser check enable tls 1.2

Key reg tls 1.2 is

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2\server
DisableByDefault=1
Enabled=1

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

70576398 avatar image
0 Votes"
70576398 answered

Thanks Vito. API is on W2012 R2 Server. This Web API call another external API.

Checked TLS 1.2 Server Registry, sharing below
196251-tls12-server.jpg



tls12-server.jpg (16.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VitoProcino-4399 avatar image
1 Vote"
VitoProcino-4399 answered 70576398 commented

You need create this keyreg

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2\server\
DisableByDefault=1
Enabled=1

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

After set TLS 1.2 get Error: SSL connect error
.Revert settings previous.
Still get error below.
"The underlying connection was closed: An unexpected error occurred on a send."

0 Votes 0 ·
VitoProcino-4399 avatar image
0 Votes"
VitoProcino-4399 answered

Can you read this doc "Transport Layer Security (TLS) best practices with the .NET Framework" (strong authentication)

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls?source=docs#configuring-security-via-the-windows-registry

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

70576398 avatar image
0 Votes"
70576398 answered BruceZhang-MSFT commented

An additional information: After TLS 1.2 registry set "1". Other web services are given error "Error: SSL connect error". For revert they are available.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KaganKassu-7177 ,

I noticed that you said this API on server 2012 is used to call another external API. That means the external API is on another server.

So an important thing is you also need to make sure another server support TLS1.2. Based on the information you've shown and the registry settings, I believe server 2012 already supports TLS1.2.
Note: Microsoft does not recommend that you force the selection of the TLS version, it should be left to the server to choose. When you enable all TLS, the server will choose the most appropriate TLS based on the settings of the client or other calling server.

First, I think you can use a client which support TLS1.2 to call API on server 2012. If it is supported to use browser, you can get the TLS information in client browser. If not support please use network monitor.
197174-2.png
Then use network monitor to check if another server which host external API supports TLS1.2. Only another server support TLS1.2 can connection create successfully.


1 Vote 1 ·
2.png (49.5 KiB)

Thanks BruceZhang.

Exactly Internal API calls external one via SOAP or insomnia. External API on Open Shift, TLS v1.3 but told TLS v1.2 is supported.

0 Votes 0 ·

Hi @KaganKassu-7177 ,

If external API server support TLS1.3, it will also support TLS1.2. But you need to make sure it has enabled TLS1.2.

Then did you try to use network monitor to check if Server 2012 support TLS1.2?

0 Votes 0 ·
70576398 avatar image 70576398 BruceZhang-MSFT ·

Tried network monitor but SOAP or Insomnia monitoring using API, so unable to check it.

Other API side sent information for TLS: We can not access directly with URL to API. They tested internal with TLS v1.2. I can access via Curl wih root CA. Is there any SSL Cert. problem ?

197729-tls12protocol-ss.jpg197746-tls12-crtv.jpg


0 Votes 0 ·
tls12protocol-ss.jpg (137.8 KiB)
tls12-crtv.jpg (104.2 KiB)
Show more comments
70576398 avatar image
0 Votes"
70576398 answered 70576398 commented

Thanks for previous links., get some usefull info. I can trace via network monitor, but no return after Client Hello Handshake . No return for Cert/Server Hello. Could be certificate problem here. But not sure on our side or external side? Do you have any possible idea?
Else, i'm sharing my server's current Schannel configuration and trace ss.

199508-api-clhandshke.jpg
199507-return-tcp.jpg

199486-schanel-sttngs.jpg






return-tcp.jpg (78.2 KiB)
schanel-sttngs.jpg (52.5 KiB)
api-clhandshke.jpg (38.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Addition, having a tls error when run on browser. Advanced Settings are OK TLS 1.2 TLS1.1. Can this error related with external site Certificate's support on TLS 1.2? But i can acccess with cURL that certificate.
199634-tlserror.jpg


0 Votes 0 ·
tlserror.jpg (31.6 KiB)