Menu
I run an application on the Azure application Standard: 1 Small plan. Framework is 4.6.1
This application is calling a SSL secured API. The SSL is published by StartCom Class 1 DV Server CA, my local browser tells me that the certificate is valid.
If I run the application on my local machine everything works. However, when deployed to azure it fails with follwing error:
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
The code:
public async Task<List<QutationOverview>> GetAll(string url, DateTime lastActionDate)
{
var result = string.Empty;
try
{
var userName = await _settingManager.GetSettingValueAsync("API.UserName");
var password = await _settingManager.GetSettingValueAsync("API.Password");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls |
SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
//Add date filter
//Always request qutations where the last action took place >= Yesterday
var requestUrl =
$"GetALL/?last_action_date={lastActionDate.AddDays(-1).ToString("yyyy-MM-dd")}&format=json";
var baseAddress = new Uri(url);
var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{userName}:{password}"));
Logger.InfoFormat("GetAllQuotationsAsync for url {0}{1}", url, requestUrl);
using (var httpClient = new HttpClient {BaseAddress = baseAddress})
{
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", credentials);
using (var response = await httpClient.GetAsync(requestUrl))
{
result = await response.Content.ReadAsStringAsync();
Logger.Info(result);
}
}
}
catch (Exception ex)
{
Logger.ErrorFormat("GetAllQuotationsAsync {0}: {1}", url, ex);
}
var data = JsonConvert.DeserializeObject<List<QutationOverview>>(result);
return data;
}
As you can see I skip the validation of the certificate and added the security protocols.
However, the request is still failing.
Here is the caputred response http://textuploader.com/5ers0
Do you have any idea how to get this one working on Azure?
785
The error “The request was aborted: Could not create SSL/TLS secure channel.” can happen during any download HTTP request. This error generally will correspond to firewalls, proxies or DNS filtering blocking the connection or an SSL/TLS cipher misconfiguration.
However, the "Could not create SSL/TLS secure channel" error usually means that there's something wrong with the server certificate, e.g. the certificate is for a different hostname, or otherwise invalid, or not trusted etc.
Steps to Reproduce: Open the Microsoft Excel and check the version using Account ( In this case I was testing with Microsoft Excel 2016) Open the Microsoft Excel --> Data --> From Other Source --> From Odata Data Feed. Fill in the connection which can be found from Step 2. Below error is shown.
Capture the TLS handshake. If your ServerHello is missing you most probably don't have a common cipher suite with the remote.
Run both through https://www.ssllabs.com/ssltest/ to check supported cipher suites at both ends. For Windows Server, cipher suites can only be enabled or disabled globally (as in no distinction between client/server component) so that's why this makes for a good test.
UPDATE: Found a glaring problem in my reasoning, App Service has a frontend layer and that's where TLS terminates, so comparing ciphers that way goes nowhere.
Instead, run
Get-TlsCipherSuite
from Kudu's PowerShell and compare ciphers against your remote API's (the ciphers of which you can check over at https://ssllabs.com/ssltest). You should have at least one match.
If none match, you'll need to switch to Cloud Services or VMs and enable at least one of the cipher suites your remote speaks. Having to go this direction usually means one thing -- your remote is using weak cryptography (SSL 3.0 or TLS 1.0 with RC4) and you should have a chat with those citizens, or find new citizens that are rocking TLS 1.2.
From your System.Net trace:
[8356] 00000000 : 15 03 03 00 02
That's byte sequence for Fatal Handshake Error, which builds on my no common cipher theory.
Note the first byte (0x15):
Record Type Values dec hex
-------------------------------------
CHANGE_CIPHER_SPEC 20 0x14
ALERT 21 0x15
HANDSHAKE 22 0x16
APPLICATION_DATA 23 0x17
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
