ChatGPT解决这个技术问题 Extra ChatGPT

The request was aborted: Could not create SSL/TLS secure channel

We are unable to connect to an HTTPS server using WebRequest because of this error message:

The request was aborted: Could not create SSL/TLS secure channel.

We know that the server doesn't have a valid HTTPS certificate with the path used, but to bypass this issue, we use the following code that we've taken from another StackOverflow post: 

private void Somewhere() {
    ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(AlwaysGoodCertificate);
}

private static bool AlwaysGoodCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors) {
   return true;
}

The problem is that server never validates the certificate and fails with the above error. Does anyone have any idea of what I should do?

I should mention that a colleague and I performed tests a few weeks ago and it was working fine with something similar to what I wrote above. The only "major difference" we've found is that I'm using Windows 7 and he was using Windows XP. Does that change something?

Check this also stackoverflow.com/questions/1600743/…
It's 2018 and this question has been viewed 308,056 times but still there is no proper fix for this!! I get this issue randomly and none of the fixes mentioned here or in any other threads have solved my issue.
@NigelFds The error The request was aborted: Could not create SSL/TLS secure channel is a very generic one. It basically says, "the SSL/TLS/HTTPS connection initialization failed for one of many possible reasons". So if you get it regularly in a specific situation, your best option is to ask a specific question giving specific details about that situation. And checking the Event Viewer for more information. And/or enable some .NET client-side debugging to get more details (is the server cert not trusted? is there a cipher mismatch? SSL/TLS protocol version mismatch? etc).
@MarnixKlooster I have already checked all of that, It can't be an issue with the certificate as if i retry it , it works. And I doubt I'd be able to ask this question on SO without someone coming and marking it as duplicate or something .
@NigelFds Using 4.5.2 is almost surely a large part of the problem. The runtime determines the security protocol defaults, and 4.5.x only has SSL 3.0 and TLS 1.0 enabled, meaning if your app calls an API that has TLS 1.0 disabled, it will fail. Try a higher .NET Framework, preferably 4.7 or higher. Please see my answer for more details, especially if your app is an ASP.NET site.

S
Simon Dugré

I finally found the answer (I haven't noted my source but it was from a search);

While the code works in Windows XP, in Windows 7, you must add this at the beginning: 

// using System.Net;
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
// Use SecurityProtocolType.Ssl3 if needed for compatibility reasons

And now, it works perfectly.

ADDENDUM

As mentioned by Robin French; if you are getting this problem while configuring PayPal, please note that they won't support SSL3 starting by December, 3rd 2018. You'll need to use TLS. Here's Paypal page about it.

Going down to SecurityProtocolType.Tls12 actually fixed this problem for me. See my answer below.
SSLv3 is 18 years old and now susceptible to the POODLE exploit - as @LoneCoder recommends SecurityProtocolType.Tls12 is the suitable replacement for SecurityProtocolType.Ssl3
SecurityProtocolType.Tls might actually be a better alternative until an exploit is found for that (not all sites support Tls12 as of writing)
PayPal have set a date of June 30 2017 to disable SSL3 and implement TLS1.2. It is already applied in their sandbox environment paypal-knowledge.com/infocenter/…
See this as well. You don't need to exclusively set it to a single type, you can simply append as well. System.Net.ServicePointManager.SecurityProtocol |= System.Net.SecurityProtocolType.Tls12;
A
Andrej Z

The solution to this, in .NET 4.5 is 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

If you don’t have .NET 4.5 then use 

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
Thank you! I need to use .net 4.0 and didn't know how to solve this. This seems to work here. :)
Doesn't work on Windows Server 2008R2 (and possibly on 2012 as well)
@billpg , read this for more exact answer
For VB types (since this answer shows up in Google), the equivalent code is ServicePointManager.SecurityProtocol = DirectCast(3072, SecurityProtocolType)
This answer is extremely useful for the .NET 4.0 addendum
s
soccer7

Make sure the ServicePointManager settings are made before the HttpWebRequest is created, else it will not work.

Works: 

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
       | SecurityProtocolType.Tls11
       | SecurityProtocolType.Tls12
       | SecurityProtocolType.Ssl3;

HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com/api/")

Fails: 

HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com/api/")

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
       | SecurityProtocolType.Tls11
       | SecurityProtocolType.Tls12
       | SecurityProtocolType.Ssl3;
Whats the difference between Works and Fails you mentioned above?
Awesome. My request only worked after the second try, which did not make sense and then I saw your post, moved the security protocol before the request and voilà, fixed. Thanks @hogarth45
Exactly! when i placed ServicePointManager just before the request is created, it worked for me, Thanks man, You saved my day.
In our case, the request failed for the first time and worked afterward. That was exactly because of the reason stated in this answer!
I can't believe something as silly as initialization order solved this problem for me. SMH. Thanks @horgath45!!
J
JLRishe

Note: Several of the highest voted answers here advise setting ServicePointManager.SecurityProtocol, but Microsoft explicitly advises against doing that. Below, I go into the typical cause of this issue and the best practices for resolving it.

One of the biggest causes of this issue is the active .NET Framework version. The .NET framework runtime version affects which security protocols are enabled by default.

In ASP.NET sites, the framework runtime version is often specified in web.config. (see below)

In other apps, the runtime version is usually the version for which the project was built, regardless of whether it is running on a machine with a newer .NET version.

There doesn't seem to be any authoritative documentation on how it specifically works in different versions, but it seems the defaults are determined more or less as follows:

Framework Version Default Protocols 4.5 and earlier SSL 3.0, TLS 1.0 4.6.x TLS 1.0, 1.1, 1.2, 1.3 4.7+ System (OS) Defaults

For the older versions, your mileage may vary somewhat based on which .NET runtimes are installed on the system. For example, there could be a situation where you are using a very old framework and TLS 1.0 is not supported, or using 4.6.x and TLS 1.3 is not supported.

Microsoft's documentation strongly advises using 4.7+ and the system defaults:

We recommend that you: Target .NET Framework 4.7 or later versions on your apps. Target .NET Framework 4.7.1 or later versions on your WCF apps. Do not specify the TLS version. Configure your code to let the OS decide on the TLS version. Perform a thorough code audit to verify you're not specifying a TLS or SSL version.

For ASP.NET sites: check the targetFramework version in your <httpRuntime> element, as this (when present) determines which runtime is actually used by your site: 

<httpRuntime targetFramework="4.5" />

Better: 

<httpRuntime targetFramework="4.7" />
Added to was the fix for me.
I had the same problem appear on one of my projects (it had been ok previously). It turned out it's because web sites are moving with the times and no longer support older security protocols. I updated the framework on my project from 4 to 4.6.1 and it worked again without any code change being needed.
This fixed the issue for me in 3 of my web apps
The accepted answer By Simon Dugre would have worked for me, but I would have needed to add security protocol definition in multiple places. Updating the target framework in web.config resolved the issue app-wide.
I
InteXX

I had this problem trying to hit https://ct.mob0.com/Styles/Fun.png, which is an image distributed by CloudFlare on its CDN that supports crazy stuff like SPDY and weird redirect SSL certs.

Instead of specifying Ssl3 as in Simons answer I was able to fix it by going down to Tls12 like this: 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
new WebClient().DownloadData("https://ct.mob0.com/Styles/Fun.png");
Thanks Lone... this is crazy how there seems to have many different possibilities of issues depending of situation... And, as I can see, there is no real documentation of that. Well, thanks to point out for someone who'll may experience same problem.
This worked for me. I faced the Error when i switched from office LAN to my home network. Same code, same laptop!
Do you get the error always (in all requests) or sometimes ?
C
Community

The problem you're having is that the aspNet user doesn't have access to the certificate. You have to give access using the winhttpcertcfg.exe

An example on how to set this up is at: http://support.microsoft.com/kb/901183

Under step 2 in more information

EDIT: In more recent versions of IIS, this feature is built in to the certificate manager tool - and can be accessed by right clicking on the certificate and using the option for managing private keys. More details here: https://serverfault.com/questions/131046/how-to-grant-iis-7-5-access-to-a-certificate-in-certificate-store/132791#132791

I've tried executing winhttpcertcfg.exe ... note that I'm on Windows 7. Can it changes something?
I am not sure if it is related, but this post gave me the idea to run VS as admin when making this call from VS and that fixed the issue for me.
In Windows 7 and later, the certificate must be in the store for the Local Computer rather than Current User in order to "Manage Private Keys"
Yep, this was my problem. use mmc.exe, add the certificates snap-in (for me I then chose 'local computer'). Right-click certificate, all tasks, manage private keys. Add 'everyone' (for local dev this is easiest - prod obviously needs your explicit IIS website app pool / user)
R
Remus Rusanu

The error is generic and there are many reasons why the SSL/TLS negotiation may fail. The most common is an invalid or expired server certificate, and you took care of that by providing your own server certificate validation hook, but is not necessarily the only reason. The server may require mutual authentication, it may be configured with a suites of ciphers not supported by your client, it may have a time drift too big for the handshake to succeed and many more reasons.

The best solution is to use the SChannel troubleshooting tools set. SChannel is the SSPI provider responsible for SSL and TLS and your client will use it for the handshake. Take a look at TLS/SSL Tools and Settings.

Also see How to enable Schannel event logging.

Where is the path for Schannel event logging in Windows 7-8-10 ?
troubleshoot TLS/SSL programatically in C# ?
@PreguntonCojoneroCabrón This is the path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL, set EventLogging to 1. Find those logs from Event Viewer by filtering them based on source as Schannel.
N
Nick Gotch

After many long hours with this same issue I found that the ASP.NET account the client service was running under didn't have access to the certificate. I fixed it by going into the IIS Application Pool that the web app runs under, going into Advanced Settings, and changing the Identity to the LocalSystem account from NetworkService.

A better solution is to get the certificate working with the default NetworkService account but this works for quick functional testing.

This answer should have more up-votes. After a week of researching, this is the only solution that worked for me. Thanks!!
It also took me days of ever-growing frustation before finding this post that also solves it for me. In my case the AppPool was running as ApplicationPoolIdentity which is the default setting, but changing it to LocalSystem solved the issue.
What if my application is console application that too developed in .net Core (FW 5.0) ??
s
simply good

The approach with setting 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

Seems to be okay, because Tls1.2 is latest version of secure protocol. But I decided to look deeper and answer do we really need to hardcode it.

Specs: Windows Server 2012R2 x64.

From the internet there is told that .NetFramework 4.6+ must use Tls1.2 by default. But when I updated my project to 4.6 nothing happened. I have found some info that tells I need manually do some changes to enable Tls1.2 by default

https://support.microsoft.com/en-in/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

But proposed windows update doesnt work for R2 version

But what helped me is adding 2 values to registry. You can use next PS script so they will be added automatically 

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

That is kind of what I was looking for. But still I cant answer on question why NetFramework 4.6+ doesn't set this ...Protocol value automatically?

do you need to restart the server after making those changes?
@Sharon If you are talking about the machine - no, just restarting the application/host should be enough
Adding the registry keys helped in my case. Additional info from docs.microsoft.com/en-us/dotnet/framework/network-programming/… "A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. A value of 0 disables strong cryptography." Restarting my app was enough.
@bugybunny thank you, I will update the answer
If your project is an ASP.NET site, then what usually matters is the framework version specified in the web.config and not the version that the .csproj targets. I elaborate on this in my answer.
J
Jon Schneider

Another possible cause of the The request was aborted: Could not create SSL/TLS secure channel error is a mismatch between your client PC's configured cipher_suites values, and the values that the server is configured as being willing and able to accept. In this case, when your client sends the list of cipher_suites values that it is able to accept in its initial SSL handshaking/negotiation "Client Hello" message, the server sees that none of the provided values are acceptable, and may return an "Alert" response instead of proceeding to the "Server Hello" step of the SSL handshake.

To investigate this possibility, you can download Microsoft Message Analyzer, and use it to run a trace on the SSL negotiation that occurs when you try and fail to establish an HTTPS connection to the server (in your C# app).

If you are able to make a successful HTTPS connection from another environment (e.g. the Windows XP machine that you mentioned -- or possibly by hitting the HTTPS URL in a non-Microsoft browser that doesn't use the OS's cipher suite settings, such as Chrome or Firefox), run another Message Analyzer trace in that environment to capture what happens when the SSL negotiation succeeds.

Hopefully, you'll see some difference between the two Client Hello messages that will allow you to pinpoint exactly what about the failing SSL negotiation is causing it to fail. Then you should be able to make configuration changes to Windows that will allow it to succeed. IISCrypto is a great tool to use for this (even for client PCs, despite the "IIS" name).

The following two Windows registry keys govern the cipher_suites values that your PC will use:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

Here's a full writeup of how I investigated and solved an instance of this variety of the Could not create SSL/TLS secure channel problem: http://blog.jonschneider.com/2016/08/fix-ssl-handshaking-error-in-windows.html

In my case, this answer is helpful. Also, since I suspected my client PC missed some cipher suites, I took a shortcut and installed this Windows Update directly to try my luck (support.microsoft.com/en-hk/help/3161639, needs Windows reboot) before really starting the Message Analyzer search, and turned out I was lucky and it solved my problem, saving myself a search.
Note that when you test a HTTPS link in browsers such as Firefox, even if you get a different cipher than the ones provided by any given Windows Update, the Windows Update is still worth to be tried, because installing new ciphers will affect the cipher negotiation between the client PC and server, thus increasing the hope of finding a match.
To the point answer for my problem. Two things that helped me to find the changes to make. 1. Cipher Suites supported by the web server: ssllabs.com/ssltest 2. Cipher Suites that different Windows versions support: docs.microsoft.com/en-us/windows/win32/secauthn/…
S
SpoiledTechie.com

Something the original answer didn't have. I added some more code to make it bullet proof. 

ServicePointManager.Expect100Continue = true;
        ServicePointManager.DefaultConnectionLimit = 9999;
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
I would not recommend the added SSL3 protocol.
SSL3 has a severe security issue called 'Poodle'.
@PeterdeBruijn Tls and Tls11 are obsoletes ?
@Kiquenet - yes. As of June 2018 the PCI (Payment Card Industries) will not allow protocols lower than TLS1.2. (This was originally slated for 06/2017 but was postponed for a year)
There are five protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, and TLS v1.2: github.com/ssllabs/research/wiki/… SSL v2 unsecure, SSL v3 is insecure when used with HTTP (the POODLE attack), TLS v1.0, TLS v1.1 obsoletes Only valid option will be ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12?
A
APW

The top-voted answer will probably be enough for most people. However, in some circumstances, you could continue getting a "Could not create SSL/TLS secure channel" error even after forcing TLS 1.2. If so, you may want to consult this helpful article for additional troubleshooting steps. To summarize: independent of the TLS/SSL version issue, the client and server must agree on a "cipher suite." During the "handshake" phase of the SSL connection, the client will list its supported cipher-suites for the server to check against its own list. But on some Windows machines, certain common cipher-suites may have been disabled (seemingly due to well-intentioned attempts to limit attack surface), decreasing the possibility of the client & server agreeing on a cipher suite. If they cannot agree, then you may see "fatal alert code 40" in the event viewer and "Could not create SSL/TLS secure channel" in your .NET program.

The aforementioned article explains how to list all of a machine's potentially-supported cipher suites and enable additional cipher suites through the Windows Registry. To help check which cipher suites are enabled on the client, try visiting this diagnostic page in MSIE. (Using System.Net tracing may give more definitive results.) To check which cipher suites are supported by the server, try this online tool (assuming that the server is Internet-accessible). It should go without saying that Registry edits must be done with caution, especially where networking is involved. (Is your machine a remote-hosted VM? If you were to break networking, would the VM be accessible at all?)

In my company's case, we enabled several additional "ECDHE_ECDSA" suites via Registry edit, to fix an immediate problem and guard against future problems. But if you cannot (or will not) edit the Registry, then numerous workarounds (not necessarily pretty) come to mind. For example: your .NET program could delegate its SSL traffic to a separate Python program (which may itself work, for the same reason that Chrome requests may succeed where MSIE requests fail on an affected machine).

That feeling when I mouse over the "this helpful article" link to see what it might be, and it's a link to an article on my own blog. 😅
H
HoldOffHunger

"The request was aborted: Could not create SSL/TLS secure channel" exception can occur if the server is returning an HTTP 401 Unauthorized response to the HTTP request.

You can determine if this is happening by turning on trace-level System.Net logging for your client application, as described in this answer.

Once that logging configuration is in place, run the application and reproduce the error, then look in the logging output for a line like this: 

System.Net Information: 0 : [9840] Connection#62912200 - Received status line: Version=1.1, StatusCode=401, StatusDescription=Unauthorized.

In my situation, I was failing to set a particular cookie that the server was expecting, leading to the server responding to the request with the 401 error, which in turn led to the "Could not create SSL/TLS secure channel" exception.

My task scheduler execute every day (not weekend). I get the same error, but sometimes (2 errors in 2 months). When I get the error, later few minutes I try again manually and all is OK.
S
Sherlock

Another possibility is improper certificate importation on the box. Make sure to select encircled check box. Initially I didn't do it, so code was either timing out or throwing same exception as private key could not be located.

https://i.stack.imgur.com/0lMgD.jpg

A client kept having to re-install the cert in order to use a client program. Over and over again they would have to re-install the cert before using the program. I'm hoping this answer fixes that issue.
s
soccer7

This one is working for me in MVC webclient 

public string DownloadSite(string RefinedLink)
{
    try
    {
        Uri address = new Uri(RefinedLink);

        ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

        System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

        using (WebClient webClient = new WebClient())
        {
            var stream = webClient.OpenRead(address);
            using (StreamReader sr = new StreamReader(stream))
            {
                var page = sr.ReadToEnd();

                return page;
            }
        }

    }
    catch (Exception e)
    {
        log.Error("DownloadSite - error Lin = " + RefinedLink, e);
        return null;
    }
}
Would override ServerCertificateValidationCallback introduce new security hole?
this works for me like a JET
@user1021364 can it hack my system. since we are not doing a actual web system.
T
Terje Solem

I had this problem because my web.config had: 

<httpRuntime targetFramework="4.5.2" />

and not: 

<httpRuntime targetFramework="4.6.1" />
That fixed my issue. In the client app in webconfig file I had httpRuntime setup as 4.5. Changed it to 4.7.2. I had earlier upgrade from 4.5 to 4.7.2 but not sure why it was not updated. Anyway it helped me.
M
Merlyn007

Doing this helped me: 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
T
TCC

As you can tell there are plenty of reasons this might happen. Thought I would add the cause I encountered ...

If you set the value of WebRequest.Timeout to 0, this is the exception that is thrown. Below is the code I had... (Except instead of a hard-coded 0 for the timeout value, I had a parameter which was inadvertently set to 0). 

WebRequest webRequest = WebRequest.Create(@"https://myservice/path");
webRequest.ContentType = "text/html";
webRequest.Method = "POST";
string body = "...";
byte[] bytes = Encoding.ASCII.GetBytes(body);
webRequest.ContentLength = bytes.Length;
var os = webRequest.GetRequestStream();
os.Write(bytes, 0, bytes.Length);
os.Close();
webRequest.Timeout = 0; //setting the timeout to 0 causes the request to fail
WebResponse webResponse = webRequest.GetResponse(); //Exception thrown here ...
Wow! Thanks for mentioning this. Couldn't believe this in the first place and tried tons of different things first. Then, finally, set the timeout to 10sec and the exception disappeared! This is the solution for me. (y)
C
Community

The root of this exception in my case was that at some point in code the following was being called: 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

This is really bad. Not only is it instructing .NET to use an insecure protocol, but this impacts every new WebClient (and similar) request made afterward within your appdomain. (Note that incoming web requests are unaffected in your ASP.NET app, but new WebClient requests, such as to talk to an external web service, are).

In my case, it was not actually needed, so I could just delete the statement and all my other web requests started working fine again. Based on my reading elsewhere, I learned a few things:

This is a global setting in your appdomain, and if you have concurrent activity, you can't reliably set it to one value, do your action, and then set it back. Another action may take place during that small window and be impacted.

The correct setting is to leave it default. This allows .NET to continue to use whatever is the most secure default value as time goes on and you upgrade frameworks. Setting it to TLS12 (which is the most secure as of this writing) will work now but in 5 years may start causing mysterious problems.

If you really need to set a value, you should consider doing it in a separate specialized application or appdomain and find a way to talk between it and your main pool. Because it's a single global value, trying to manage it within a busy app pool will only lead to trouble. This answer: https://stackoverflow.com/a/26754917/7656 provides a possible solution by way of a custom proxy. (Note I have not personally implemented it.)

Contrary to your general rule of thumb, I'll add that there is an exception when you MUST set it to TLS 1.2, rather than letting the default run. If you are on a framework older than .NET 4.6, and you disable insecure protocols on your server (SSL or TLS 1.0/1.1), then you cannot issue requests unless you force the program into TLS 1.2.
b
bplus

If you are running your code from Visual Studio, try running Visual Studio as administrator. Fixed the issue for me.

That probably means that you didn't have access to the certificate, or perhaps its private key, in the user account you were running in.
D
Dinesh Rajan

In my case, the service account running the application did not have permission to access the private key. Once I gave this permission, the error went away

mmc certificates Expand to personal select cert right click All tasks Manage private keys Add the service account user

Can you please expand on the answer with full process by adding screenshots and such? What do you add in step 8?
Love you, man. Saved my day
P
Priyank Sharma

Finally found solution for me.

Try this adding below line before calling https url (for .Net framework 4.5):

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

a
aghost

I have struggled with this problem all day.

When I created a new project with .NET 4.5 I finally got it to work.

But if I downgraded to 4.0 I got the same problem again, and it was irreversable for that project (even when i tried to upgrade to 4.5 again).

Strange no other error message but "The request was aborted: Could not create SSL/TLS secure channel." came up for this error

The reason that this worked may have been because different .NET versions support different SSL/TLS protocol versions. More info: blogs.perficient.com/microsoft/2016/04/tsl-1-2-and-net-support
c
cnom

In case that the client is a windows machine, a possible reason could be that the tls or ssl protocol required by the service is not activated.

This can be set in:

Control Panel -> Network and Internet -> Internet Options -> Advanced

Scroll settings down to "Security" and choose between

Use SSL 2.0

Use SSL 3.0

Use TLS 1.0

Use TLS 1.1

Use TLS 1.2

https://i.stack.imgur.com/kJMcX.png

any issue in ticking all of them ?
no issues, as far as I know... except that ssl are not any more recommended... they are not considered secure enough.
how-to do it programatically in powershell ?
This is something that affects older versions of Windows, Do some research, find out what security options are currently in use. As of today see this link: tecadmin.net/enable-tls-on-windows-server-and-iis
c
capdragon

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

In our case, we where using a software vendor so we didn't have access to modify the .NET code. Apparently .NET 4 won't use TLS v 1.2 unless there is a change.

The fix for us was adding the SchUseStrongCrypto key to the registry. You can copy/paste the below code into a text file with the .reg extension and execute it. It served as our "patch" to the problem. 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Here PS for quick edit: New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1" -Type DWord
Here PS for quick edit2: New-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1" -Type DWord
s
sina alizadeh

none of this answer not working for me , the google chrome and postman work and handshake the server but ie and .net not working. in google chrome in security tab > connection show that encrypted and authenticated using ECDHE_RSA with P-256 and AES_256_GCM cipher suite to handshake with the server.

https://i.stack.imgur.com/zVnGE.png

i install IIS Crypto and in cipher suites list on windows server 2012 R2 ican't find ECDHE_RSA with P-256 and AES_256_GCM cipher suite. then i update windows to the last version but the problem not solve. finally after searches i understood that windows server 2012 R2 not support GSM correctly and update my server to windows server 2016 and my problem solved.

S
Stephen Rauch

I was having this same issue and found this answer worked properly for me. The key is 3072. This link provides the details on the '3072' fix. 

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

XmlReader r = XmlReader.Create(url);
SyndicationFeed albums = SyndicationFeed.Load(r);

In my case two feeds required the fix: 

https://www.fbi.gov/feeds/fbi-in-the-news/atom.xml
https://www.wired.com/feed/category/gear/latest/rss
This solution works even if you're using the ancient 4.0 .NET framework.
s
sports

None of the answers worked for me.

This is what worked:

Instead of initializing my X509Certifiacte2 like this: 

   var certificate = new X509Certificate2(bytes, pass);

I did it like this: 

   var certificate = new X509Certificate2(bytes, pass, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

Notice the X509KeyStorageFlags.Exportable !!

I didn't change the rest of the code (the WebRequest itself): 

// I'm not even sure the first two lines are necessary:
ServicePointManager.Expect100Continue = true; 
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

request = (HttpWebRequest)WebRequest.Create(string.Format("https://{0}.sii.cl/cvc_cgi/dte/of_solicita_folios", server));
request.Method = "GET";
request.Referer = string.Format("https://hercules.sii.cl/cgi_AUT2000/autInicio.cgi?referencia=https://{0}.sii.cl/cvc_cgi/dte/of_solicita_folios", servidor);
request.UserAgent = "Mozilla/4.0";
request.ClientCertificates.Add(certificate);
request.CookieContainer = new CookieContainer();

using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
{
    // etc...
}

In fact I'm not even sure that the first two lines are necessary...

In my case this problem occurred ONLY when hosting the process in IIS (i.e. the webapp making a call elsewhere). - This fixed it! Thanks for sharing!
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; using this line worked for me.
L
Lionel Gaillard

This fixed for me, add Network Service to permissions. Right click on the certificate > All Tasks > Manage Private Keys... > Add... > Add "Network Service".

Can you please expand on the answer with screenshots?
O
OfirD

Another possibility is that the code being executed doesn't have the required premissions.

In my case, I got this error when using Visual Studio debugger to test a call to a web service. Visual Studio wasn't running as Administrator, which caused this exception.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.