Random The request was aborted: Could not create SSL/TLS secure channel. Returned code=MessageAltered

Question

In one out of around a thousand HTTPS requests, following exception is thrown:

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
    at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
    at System.Net.WebClient.DownloadString(Uri address)

The logs from System.Net look like follows:

2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating HttpWebRequest#37618637 with ServicePoint#28841767
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating Connection#16407032 with HttpWebRequest#37618637
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net.Sockets | [2688] Socket#42531032 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Connection#16407032 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] TlsStream#54603865::.ctor(host=www.remoteservice.com, #certs=0)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Associating HttpWebRequest#37618637 with ConnectStream#27023101
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] HttpWebRequest#37618637 - Request: GET /api/v3/method HTTP/1.1
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] ConnectStream#27023101 - Sending headers
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] SecureChannel#66031633::.ctor(hostname=www.remoteservice.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] SecureChannel#66031633 - Left with 0 client certificates to choose from.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] Using the cached credential handle.
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1031 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=379, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:10:17.1656 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.4937 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=574, returned code=ContinueNeeded).
2016-09-20 15:10:17.5562 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505f981f0, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:10:17.5562 | INFO | 72 | System.Net | [2688] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=MessageAltered).
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637:: - The request was aborted: Could not create SSL/TLS secure channel..
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
2016-09-20 15:10:17.5562 | ERROR | 72 | System.Net | [2688] Exception in HttpWebRequest#37618637:: - The request was aborted: The request was canceled..

The InitializeSecurityContext ends up with line:

InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=MessageAltered)

To compare, here is one of the successful HTTPS calls:

2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ServicePoint#28841767
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating Connection#23643787 with HttpWebRequest#23767080
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net.Sockets | [1900] Socket#66957105 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Connection#23643787 - Created connection from x.x.x.x:12345 to y.y.y.y:443.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] TlsStream#51402822::.ctor(host=www.remoteservice.com, #certs=0)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ConnectStream#55741749
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] HttpWebRequest#23767080 - Request: GET /api/v3/method/123 HTTP/1.1
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] ConnectStream#55741749 - Sending headers
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] SecureChannel#20739431::.ctor(hostname=www.remoteservice.com, #clientCertificates=0, encryptionPolicy=RequireEncryption)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] SecureChannel#20739431 - Left with 0 client certificates to choose from.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] Using the cached credential handle.
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9128 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=379, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:21.9909 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.3190 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=574, returned code=ContinueNeeded).
2016-09-20 15:11:22.3815 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = e239863c90:3505fb0480, targetName = www.remoteservice.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] Remote certificate: [Version] V3 (more info on certificate here)
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] SecureChannel#20739431 - Remote certificate was verified as valid by the user.
2016-09-20 15:11:22.7878 | INFO | 47 | System.Net | [1900] ProcessAuthentication(Protocol=Tls12, Cipher=Aes256 256 bit strength, Hash=32781 0 bit strength, Key Exchange=DiffieHellman 4096 bit strength).
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Connection#23643787 - Received status line: Version=1.1, StatusCode=200, StatusDescription=OK.
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Connection#23643787 - Received headers
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] ConnectStream#43287324::ConnectStream(Buffered -1 bytes.)
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with ConnectStream#43287324
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] Associating HttpWebRequest#23767080 with HttpWebResponse#32954516
2016-09-20 15:11:22.8971 | INFO | 47 | System.Net | [1900] ContentLength=-1

The ServicePointManager is configured as follows:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
ServicePointManager.Expect100Continue = false;
ServicePointManager.DefaultConnectionLimit = 24;

The .NET framework version is 4.5.

Do you have any idea why this may happen?

Prashant H Phadke - MSFT · Accepted Answer

From a Schannel perspective, MessageAltered means: TLS1_ALERT_BAD_RECORD_MAC which as per RFC 5246: https://www.rfc-editor.org/rfc/rfc5246 means:

bad_record_mac This alert is returned if a record is received with an incorrect MAC. This alert also MUST be returned if an alert is sent because a TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length, or its padding values, when checked, weren't correct. This message is always fatal and should never be observed in communication between proper implementations (except when messages were corrupted in the network).

The received message appears to be corrupted in some way/form leading to the error - because the decrypt cannot be performed. You'll probably have to contact the server vendor to correct their side of the problem or if you can't influence the server people then, retry the request - provided the subsequent request succeeds.

Random The request was aborted: Could not create SSL/TLS secure channel. Returned code=MessageAltered

Tags:

c#

.net

httpwebrequest

webrequest

tls1.2

piotrwest

1 Answers

Prashant H Phadke - MSFT

Recent Activity

Donate For Us

Random The request was aborted: Could not create SSL/TLS secure channel. Returned code=MessageAltered

Tags:

c#

.net

httpwebrequest

webrequest

tls1.2

piotrwest

1 Answers

Prashant H Phadke - MSFT

Related questions

Recent Activity

Donate For Us