{"type":"doc","content":[{"type":"paragraph","content":[{"text":"There can be a number of reasons why apps fail to access the desired url data sources. One that has become more common is a failure to use a matching TLS cipher suite. These kinds of problems can appear to come from out of nowhere. One day the app works and the next day the same app no longer works.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that a URL that works in Chrome or other browser may not work in your .NET app if it is relying on Windows to handle the SSL/TLS networking. In cases like this you may also see the URL fail in Internet Explorer.","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"2"}},"macroMetadata":{"macroId":{"value":"51196d14-3ce1-48d6-b63f-290b43583b79"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"efec9d50-0ae8-46ad-b64a-6821fcb177c0"}},{"type":"heading","attrs":{"level":1},"content":[{"text":"Related Error Messages","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The request was aborted: Could not create SSL/TLS secure channel.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Potential Solutions","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Mismatched Cipher Suites","type":"text"}]},{"type":"paragraph","content":[{"text":"This article describes in good detail a situation where the client machine doesn’t have an appropriate cipher suite to connect to the server. ","type":"text"},{"type":"hardBreak"},{"text":"https://blog.jonschneider.com/2016/08/fix-ssl-handshaking-error-in-windows.html","type":"text","marks":[{"type":"link","attrs":{"href":"https://blog.jonschneider.com/2016/08/fix-ssl-handshaking-error-in-windows.html"}}]}]},{"type":"paragraph","content":[{"text":"A cipher suite is a set of cryptographic algorithms. The Microsoft Secure Channel (aka ","type":"text"},{"text":"Schannel","type":"text","marks":[{"type":"code"}]},{"text":") security support provider (SSP) implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks: Key exchange, Bulk encryption, Message authentication. ","type":"text"},{"text":"Schannel","type":"text","marks":[{"type":"code"}]},{"text":" is primarily used for Internet applications that require the use of HTTPS to send or receive data.","type":"text"}]},{"type":"paragraph","content":[{"text":"This link includes information on which ciphers are supported in each version of Windows.","type":"text"}]},{"type":"paragraph","content":[{"text":"https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel"}}]},{"text":" ","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Identify Website Cipher Suites","type":"text"}]},{"type":"paragraph","content":[{"text":"Use this online tool to analyze the host url. It provides certificate details, a complete list of accepted cipher suites and the results of simulated connections from a plethora of browsers and platforms.","type":"text"}]},{"type":"paragraph","content":[{"text":"https://www.ssllabs.com/ssltest/","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.ssllabs.com/ssltest/"}}]}]},{"type":"paragraph","content":[{"text":"To identify which cipher suite was used with a connection in Chrome - open the Dev Tools (F12) and select the Security tab. Example results below: ","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":469,"id":"e542cdc4-1f93-4ebe-9a20-c213de744d73","collection":"contentId-911540225","type":"file","height":372}}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":460,"id":"03b773ae-efe8-42e5-9929-06033d4ac529","collection":"contentId-911540225","type":"file","height":402}}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Identify Available Cipher Suites on Client/App machine","type":"text"}]},{"type":"paragraph","content":[{"text":"There is an app called IIS Crypto that helps manage cipher suites on Windows Server machines. It is available from ","type":"text"},{"text":"https://www.nartac.com/Products/IISCrypto/","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.nartac.com/Products/IISCrypto/"}}]},{"text":". ","type":"text"}]},{"type":"paragraph","content":[{"text":"Default location and ordering of Cipher Suites:","type":"text"}]},{"type":"codeBlock","content":[{"text":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Cryptography\\Configuration\\Local\\SSL\\0010002","type":"text"}]},{"type":"paragraph","content":[{"text":"Location of Cipher Suite ordering that is modified by setting group policy: (overrides above default values)","type":"text"}]},{"type":"codeBlock","content":[{"text":"Computer Configuration\\Administrative Templates\\Network\\SSL Configuration Settings\\SSL Cipher Suite Order","type":"text"}]},{"type":"paragraph","content":[{"text":"To configure the SSL Cipher Suite Order group policy setting (on windows server machines)","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"At a command prompt, enter ","type":"text"},{"text":"gpedit.msc","type":"text","marks":[{"type":"strong"}]},{"text":". The ","type":"text"},{"text":"Group Policy Object Editor","type":"text","marks":[{"type":"strong"}]},{"text":" appears.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Expand ","type":"text"},{"text":"Computer Configuration","type":"text","marks":[{"type":"strong"}]},{"text":", ","type":"text"},{"text":"Administrative Templates","type":"text","marks":[{"type":"strong"}]},{"text":", ","type":"text"},{"text":"Network","type":"text","marks":[{"type":"strong"}]},{"text":", and then click ","type":"text"},{"text":"SSL Configuration Settings","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Under ","type":"text"},{"text":"SSL Configuration Settings","type":"text","marks":[{"type":"strong"}]},{"text":", click the ","type":"text"},{"text":"SSL Cipher Suite Order","type":"text","marks":[{"type":"strong"}]},{"text":" setting.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"SSL Cipher Suite Order","type":"text","marks":[{"type":"strong"}]},{"text":" pane, scroll to the bottom of the pane.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Follow the instructions labeled ","type":"text"},{"text":"How to modify this setting","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"It is necessary to restart the computer after modifying this setting for the changes to take effect.","type":"text"}]},{"type":"paragraph","content":[{"text":"References","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://docs.microsoft.com/en-us/archive/blogs/askds/speaking-in-ciphers-and-other-enigmatic-tonguesupdate","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/archive/blogs/askds/speaking-in-ciphers-and-other-enigmatic-tonguesupdate"}}]},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://docs.microsoft.com/en-us/windows/win32/secauthn/prioritizing-schannel-cipher-suites","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/windows/win32/secauthn/prioritizing-schannel-cipher-suites"}}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Certificate is Invalid","type":"text"}]},{"type":"paragraph","content":[{"text":"Check the certificate on the site and make sure it’s valid. If it isn’t you may need to update it.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"App Config","type":"text"}]},{"type":"paragraph","content":[{"text":"You want to allow the app to select the most secure connection available from the OS. ","type":"text"}]},{"type":"paragraph","content":[{"text":"This article describes how to do this with options for different versions of the .Net Framework","type":"text"},{"type":"hardBreak"},{"text":"Transport Layer Security (TLS) best practices with the .NET Framework","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls"}}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Quick Notes and Samples","type":"text"}]},{"type":"paragraph","content":[{"text":"For apps using .NET Framework 4.6 - 4.6.2 and not WCF","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n \n\n","type":"text"}]},{"type":"paragraph","content":[{"text":"For ","type":"text"},{"text":"ASP.Net","type":"text","marks":[{"type":"link","attrs":{"href":"http://ASP.Net"}}]},{"text":" apps:","type":"text"}]},{"type":"paragraph","content":[{"text":"For ASP.NET applications, inspect the element of web.config to verify you're using the intended version of the .NET Framework. Sample config below for .Net 4.6.1","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n \n \n \n \n \n\n","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"TLS 1.2 Support","type":"text"}]},{"type":"paragraph","content":[{"text":"As per Microsoft’s documentation, Windows 8.0 and Windows Server 2012 and up do support and enable by default the TLS 1.2 protocol. ","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#support-for-tls-12"}},{"text":" ","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Recommendations","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls"}},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Consider the following recommendations:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For ","type":"text"},{"text":"TLS 1.2","type":"text","marks":[{"type":"strong"}]},{"text":", target ","type":"text"},{"text":".NET Framework","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"4.7","type":"text","marks":[{"type":"strong"}]},{"text":" or later versions on your apps, and target ","type":"text"},{"text":".NET Framework 4.7.1 ","type":"text","marks":[{"type":"strong"}]},{"text":"or later versions on your WCF apps. (but 4.6 - 4.6.2 can be configured to work as well)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For ","type":"text"},{"text":"TLS 1.3","type":"text","marks":[{"type":"strong"}]},{"text":", target ","type":"text"},{"text":".NET Framework 4.8","type":"text","marks":[{"type":"strong"}]},{"text":" or later.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Perform a thorough code audit to verify you're not specifying a TLS or SSL version.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"When your app lets the OS choose the TLS version:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"It automatically takes advantage of new protocols added in the future, such as TLS 1.3.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The OS blocks protocols that are discovered not to be secure.","type":"text"}]}]}]}],"version":1}

Browser not supported