Solving “Could not create SSL/TLS secure channel” error in .NET 4.6.x
Why do I see the error “Could not create SSL/TLS secure channel” in IIS-based Duo integrations?
Could not create SSL/TLS secure channel
A legacy ASP.NET Web API application which we support recently started logging an exception and also returning an HTTP 500 response to some of its endpoints. The exception, or at least an internal exception therein, was:
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel
Having deprecated SSL3 and TLS1.0, I figured this had to do with a version mismatch between browser and server. That was true indeed. The reason the security protocol in my application didn’t default to TLS 1.2 is because it was running on. NET 4.6.2, and there is no default setting for the security protocol in. NET 4.6x. It was also running on a Windows version (2012 R2) which by default did not have newer versions of TLS enabled.
One solution is to recompile your website either by default or by targeting. NET 4.7, which has SecurityProtocolType. SystemDefault ‘s default value. According to the Microsoft. NET documentation, this setting “allows SslStream-based. NET Framework networking APIs (such as FTP, HTTP, and SMTP) to inherit the default security protocols from the operating system or any custom system administrator configurations.” That may not have helped in my case, since the OS had not enabled TLS1.2.
Strong Cryptography Mode
At the time, I couldn’t recompile the application, anyway, and so I needed to find another way to fix the problem by re configuring the OS. Ultimately, I was able to fix the problem by enabling something in Windows on the web server called “strong cryptography mode,” which you can read more background about here.
To make the change, I simply had to run the two commands on the server underneath in an elevated PowerShell prompt. The first command relates to x64.NET and the second to x86.NET.
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord
After running those commands, the following command can be executed to verify the setup:
This will list the enabled SSL / TLS protocols which now include TLS12 (i.e., TLS 1.2) in my case.
Finally, I just reset IIS to restart my application, and now I don’t get the exception “Couldn’t create a secure SSL / TLS channel” and the API returns HTTP 500 answers longer!