Reads work, but create / delete / updates don't when using the .NET Azure Storage API library for blobs and also azure queue (built on storage as well). This is running within an ASP.NET MVC 5.2 website, .NET 4.5.1, all libraries are fully updated to newest versions. This problem arose suddenly as of yesterday (Oct 14) evening, obviously as the POODLE exploit became known. Been using this API project for years without this problem, and the deployed version was working until that time. Frustratingly, on my dev / local machine the problem doesn't appear. There is a long lag until the error shows, probably due to retry attempts or something. The request was aborted: Could not create SSL/TLS secure channel. <pre class="prettyprint"><code>System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext) at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext) </code></pre> That is the totality of the exception.

I have excactly the same problem: yesterday many companies have disabeled SSLv3 on there servers so the client has to negotiate to use TLS instead when connecting to a secure endpoint. When running on my dev box everything works like before. But on all of my production servers i get the same exception when connecting to some servers (not all - for example graph.facebook.com, mandrillapp.com and some others show that problem). Interesting enough, a restart of the application solved the problem for abount an hour. Then the error shows up again. After some googling i found the line <pre class="prettyprint"><code>ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; </code></pre> To be of some help. The problem is, that seem to be a global setting and solves some but not all connection problems for me. Facebook API is working again, but mandrill for example stops working and showing the exception again after a few hours. The problem seems to be, that the .NET HttpWebRequest class (and also the WebClient class) or the underlying https implementation have problems to negotiate the communication protocol. I have read, that TLS is the standard protocol in .NET for a few years and SSLv3 is just used as a fallback, but nevertheless, the exception is there.

"Could not create SSL/TLS secure channel" Azure Storage .NET API error since POODLE

Tags:

ssl

azure

azure-storage

Reads work, but create / delete / updates don't when using the .NET Azure Storage API library for blobs and also azure queue (built on storage as well). This is running within an ASP.NET MVC 5.2 website, .NET 4.5.1, all libraries are fully updated to newest versions. This problem arose suddenly as of yesterday (Oct 14) evening, obviously as the POODLE exploit became known. Been using this API project for years without this problem, and the deployed version was working until that time.

Frustratingly, on my dev / local machine the problem doesn't appear.

There is a long lag until the error shows, probably due to retry attempts or something.

The request was aborted: Could not create SSL/TLS secure channel.

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext)   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext)

That is the totality of the exception.

388

asked Oct 15 '14 22:10

Nicholas Petersen

2 Answers

I have excactly the same problem: yesterday many companies have disabeled SSLv3 on there servers so the client has to negotiate to use TLS instead when connecting to a secure endpoint.

When running on my dev box everything works like before. But on all of my production servers i get the same exception when connecting to some servers (not all - for example graph.facebook.com, mandrillapp.com and some others show that problem).

Interesting enough, a restart of the application solved the problem for abount an hour. Then the error shows up again.

After some googling i found the line

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

To be of some help. The problem is, that seem to be a global setting and solves some but not all connection problems for me. Facebook API is working again, but mandrill for example stops working and showing the exception again after a few hours.

The problem seems to be, that the .NET HttpWebRequest class (and also the WebClient class) or the underlying https implementation have problems to negotiate the communication protocol.

I have read, that TLS is the standard protocol in .NET for a few years and SSLv3 is just used as a fallback, but nevertheless, the exception is there.

117

answered Oct 03 '22 22:10

Jan

I think we have found the main problem: Azure Storage, at least when being communicated with from an Azure Cloud Service (on the newest Windows platform available however), seems to

not be able to handle the Tls 1.2 security protocol.

So setting:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // FAILS!

You must rather set:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // or Tls11 ?

It MAY not be able to handle Tls 1.1 either. I could check that, but I'm weary of having this project not working again, for even a second.

--- UPDATE --- The Azure support personnel pointed out that prior to .NET 4.5 (4.0 and earlier), the only Tls values available on this enum were simply .Tls (no Tls11, Tls12).

See msdn docs.

I'm betting the receiving end in Azure storage then (on their own internal stack that processes requests) is not using .NET 4.5 (an educated guess).

--- end update ---

No problems though on the local machine. Which makes me wonder if the client (the cloud service virtual machine hosted in azure) itself is the one lacking here.

Thus far, this seems to be working.

For detailed log information obtained from remoting into the instance, here's some obviously pertinent logs, that may help some people to hopefully address this for the future. In every case, the underlying exception was:

System.Security.Authentication.AuthenticationException // (of type: `System.ComponentModel.Win32Exception)`

And the main error emssage was:

The client and server cannot communicate, because they do not possess a common algorithm

Apparently, in this case one of them (I think the cloud service client?) can't handle Tls1.2?

Logs snippet:

    DetailID = 6
    Count:    4
    Type:     System.Security.Authentication.AuthenticationException
    Message:  A call to SSPI failed, see inner exception.
        Type:     System.ComponentModel.Win32Exception
        Message:  The client and server cannot communicate, because they do not possess a common algorithm
    Stack:    
        [HelperMethodFrame]
        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)
        [HelperMethodFrame]
        System.Net.Security.SslState.StartSendAuthResetSignal(System.Net.Security.ProtocolToken, System.Net.AsyncProtocolRequest, System.Exception)
        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ProcessReceivedBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.StartReceiveBlob(Byte[], System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ProcessAuthentication(System.Net.LazyAsyncResult)
        System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
        System.Net.TlsStream.Write(Byte[], Int32, Int32)
        System.Net.ConnectStream.WriteHeaders(Boolean)
        System.Net.HttpWebRequest.EndSubmitRequest()
        System.Net.Connection.CompleteConnection(Boolean, System.Net.HttpWebRequest)
        System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest)
        System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState)
        System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest, Boolean)
        System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)
        System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)
        System.Net.HttpWebRequest.GetRequestStream(System.Net.TransportContext ByRef)
        System.Net.HttpWebRequest.GetRequestStream()
        Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[[System.__Canon, mscorlib]](Microsoft.WindowsAzure.Storage.Core.Executor.RESTCommand`1<System.__Canon>, Microsoft.WindowsAzure.Storage.RetryPolicies.IRetryPolicy, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromStreamHelper(System.IO.Stream, System.Nullable`1<Int64>, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromByteArray(Byte[], Int32, Int32, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadText(System.String, System.Text.Encoding, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        ... my own project's calls begin here ...

        DetailID = 7
    Count:    4
    Type:     System.Security.Authentication.AuthenticationException
    Message:  A call to SSPI failed, see inner exception.
        Type:     System.ComponentModel.Win32Exception
        Message:  The client and server cannot communicate, because they do not possess a common algorithm
    Stack:    
        [HelperMethodFrame]
        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
        [HelperMethodFrame]
        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)
        [HelperMethodFrame]
        System.Net.Security.SslState.StartSendAuthResetSignal(System.Net.Security.ProtocolToken, System.Net.AsyncProtocolRequest, System.Exception)
        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ProcessReceivedBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.StartReceiveBlob(Byte[], System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ProcessAuthentication(System.Net.LazyAsyncResult)
        System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
        System.Net.TlsStream.Write(Byte[], Int32, Int32)
        System.Net.ConnectStream.WriteHeaders(Boolean)
        System.Net.HttpWebRequest.EndSubmitRequest()
        System.Net.Connection.CompleteConnection(Boolean, System.Net.HttpWebRequest)
        System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest)
        System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState)
        System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest, Boolean)
        System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)
        System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)
        System.Net.HttpWebRequest.GetRequestStream(System.Net.TransportContext ByRef)
        System.Net.HttpWebRequest.GetRequestStream()
        Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[[System.__Canon, mscorlib]](Microsoft.WindowsAzure.Storage.Core.Executor.RESTCommand`1<System.__Canon>, Microsoft.WindowsAzure.Storage.RetryPolicies.IRetryPolicy, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromStreamHelper(System.IO.Stream, System.Nullable`1<Int64>, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromByteArray(Byte[], Int32, Int32, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadText(System.String, System.Text.Encoding, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        ... my own project's calls begin here ...

    DetailID = 8
    Count:    4
    Type:     System.Security.Authentication.AuthenticationException
    Message:  A call to SSPI failed, see inner exception.
        Type:     System.ComponentModel.Win32Exception
        Message:  The client and server cannot communicate, because they do not possess a common algorithm
    Stack:    
        [HelperMethodFrame]
        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
        [HelperMethodFrame]
        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
        [HelperMethodFrame]
        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)
        [HelperMethodFrame]
        System.Net.Security.SslState.StartSendAuthResetSignal(System.Net.Security.ProtocolToken, System.Net.AsyncProtocolRequest, System.Exception)
        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ProcessReceivedBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.StartReceiveBlob(Byte[], System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)
        System.Net.Security.SslState.ProcessAuthentication(System.Net.LazyAsyncResult)
        System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
        System.Net.TlsStream.Write(Byte[], Int32, Int32)
        System.Net.ConnectStream.WriteHeaders(Boolean)
        System.Net.HttpWebRequest.EndSubmitRequest()
        System.Net.Connection.CompleteConnection(Boolean, System.Net.HttpWebRequest)
        System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest)
        System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState)
        System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest, Boolean)
        System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)
        System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)
        System.Net.HttpWebRequest.GetRequestStream(System.Net.TransportContext ByRef)
        System.Net.HttpWebRequest.GetRequestStream()
        Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[[System.__Canon, mscorlib]](Microsoft.WindowsAzure.Storage.Core.Executor.RESTCommand`1<System.__Canon>, Microsoft.WindowsAzure.Storage.RetryPolicies.IRetryPolicy, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromStreamHelper(System.IO.Stream, System.Nullable`1<Int64>, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromByteArray(Byte[], Int32, Int32, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadText(System.String, System.Text.Encoding, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)
        ... my own project's calls begin here ...

The answer by Jan technically gives the right solution in the end, but it doesn't give the real cause, which is the real bugger here (as I said in the comments, I was already setting this, just I happened to set a higher value, to Tls12 instead). So while I always would prefer to not give my own answer over someone else's, I think this is more preferred and helpful for others struggling with this exact same problem (indeed, when I saw his answer, it didn't even register to me as even being different than what I was doing). Thanks to Jan for the help though.

answered Oct 03 '22 23:10

Nicholas Petersen

Related questions
                            
                                Serilog, Elmah or both for a ASP.NET MVC project?
                            
                                How to find Hadoop hdfs directory on my system?
                            
                                Why upload to Azure blob so slow?
                            
                                Azure-functions: Can environment variables be used in function.json?
                            
                                How to cast Azure DocumentDB Document class to my POCO class?
                            
                                What are the best practices in building multi-tenancy applications?
                            
                                Where to store things like user pictures using Azure? Blob Storage?
                            
                                Do Azure table services entities have an equivalent of NonSerializedAttribute?
                            
                                Could not load file or assembly 'Microsoft.WindowsAzure.Diagnostics' or one of its dependencies
                            
                                How to use SqlAzureExecutionStrategy and "Nolock"
                            
                                CngKey.Import on azure
                            
                                Application Insights: Analytics - how to extract string at specific position
                            
                                High demand on Azure Cosmos DB Emulator when adding a new collection
                            
                                What is the difference between ABFSS and WASBS in Azure storage?
                            
                                Azure CDN - Enabling HTTP Compression - Hosted Web Role
                            
                                Reading data from Azure Blob with Spark
                            
                                Azure Subnet - Your subnet is not contained within the same address space for this virtual network
                            
                                Testing an Azure Function in .NET 5
                            
                                Azure service bus queue PeekBatch locking?
                            
                                Django on Azure not loading static files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

"Could not create SSL/TLS secure channel" Azure Storage .NET API error since POODLE

Tags:

ssl

azure

azure-storage

Nicholas Petersen

People also ask

2 Answers

Jan

Nicholas Petersen

Recent Activity

Donate For Us