Hi everyone,
I have an .net framework 4.7.2 C# WPF app running which also has a little .net 3.5 app inside it.
This is running 1500 computers in australia and has been for 18 months.
Today we started getting reports of computers having 'crashes'
Debugging has provided this info:
section: created rest options System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
What we have now found out is that it is Windows 7 clients all being affected.
Importantly:
Postman and google chrome can access the api
JUST the .net seems ot be having issues.
After seeing this I have downlaoded fiddler (for first time) and we are seeing a handshake issue:
fiddler.network.https> HTTPS handshake to www.mydomain.com.au (for #710) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted
Win32 (SChannel) Native Error Code: 0x80090326
But then when i booted fiddler im also seeing the same issue:
[Fiddler] The connection to 'api.getfiddler.com' failed. <br />System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https> HTTPS handshake to api.getfiddler.com (for #1) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted
Win32 (SChannel) Native Error Code: 0x80090326
So maybe the fiddler API is in fact having the same connection issue as I do, but maybe thats not really going to be noticed because its an update checker for their API but mine is my whole app??
Any ideas would be appreciated.
Hi Glenn,
I believe the issue is happening due to a TLS version mismatch.
.NET Applications use WinHTTP by default for secure communications. Unfortunately, TLS 1.1 and TLS 1.2 are not enabled by default in Windows 7. To enable it, you'd need to install Update 3140245 and follow the instructions here:
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
Let us know if you continue experiencing the problem after that.
Best regards,
Zhivko
The weird part is that we havent changed anything on the server as far as i know and we havent changed the client app either!
Ive done a test on ssllabs and it does say 1.2 and 1.3 are supported but IE11, win7 -> win 8.1 nare not supported...
it does also say "fatal handshake" which is what wireshark and fiddler have been saying...
I'm just so confused why this has started now. Just 2 days ago! (after 18 months)
Hi,
Without further information about the setup, I wouldn't be able to tell you why it started happening, however, it's possible that a simple dependency upgrade or a change in the configuration disabled the TLS 1.0 or TLS 1.1 from the server. You can continue the investigation with your engineering team.
Let us know if there's anything else we can help with!
Zhivko