C
C#7mo ago
mini

✅ The request was aborted: a protected SSL/TLS channel could not be created

I'm trying to send a web request in .NET 4.8, but I keep getting The request was aborted: a protected SSL/TLS channel could not be created. I've did a lot of googling and people suggested all kinds of stuff, but no matter what I tried it didn't work. Here's stuff I tried: 
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls13;
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls13;
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
I've tried various combinations of security protocols, like specifying just Tls12 which seems to fix it for some, but without any success. When accessing the URL I'm requesting in the browser and check devtools, I can see that it uses a Tls13 encryption. Not sure if that info is of any help.
83 Replies
mini
miniOP7mo ago
Unfortunately, I'm bound to .NET 4.8 here since it is an existing codebase that is not mine, which is a bit older and I'm just trying to get to work. 
Request = WebRequest.Create(Url) as HttpWebRequest;
Request.KeepAlive = useFallbackPath != true;
Request.Host = Url.Split('/')[2];
Request.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
Request.ReadWriteTimeout = System.Threading.Timeout.Infinite;
Request.Timeout = System.Threading.Timeout.Infinite;

Response = Request.GetResponse() as HttpWebResponse;
Request = WebRequest.Create(Url) as HttpWebRequest;
Request.KeepAlive = useFallbackPath != true;
Request.Host = Url.Split('/')[2];
Request.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
Request.ReadWriteTimeout = System.Threading.Timeout.Infinite;
Request.Timeout = System.Threading.Timeout.Infinite;

Response = Request.GetResponse() as HttpWebResponse;
@Nikoλas wdym by is the certificate trusted? my browser accepts it fine, not sure why .NET 4.8 wouldnt
ProIcons
ProIcons7mo ago
.NET and Java are using a "cache" of the CAs
mini
miniOP7mo ago
iirc the game servers had an update on their ssl ciphers sometime ago, and around that time it broke
ProIcons
ProIcons7mo ago
the Trusted CAs
mini
miniOP7mo ago
the game server runs on a certificate that should be trusted by windows as usual, nothing special
x0rld 👻 🎃
x0rld 👻 🎃7mo ago
btw remove tls 1.1 and tls 1.0 that could cause some issue 
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls13;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls13;
cap5lut
cap5lut7mo ago
arent they using the OS' trusted CA pool?
mini
miniOP7mo ago
I tried it all, didn't really make a difference
ProIcons
ProIcons7mo ago
Java certainly isn't i think NET FX didn't too
cap5lut
cap5lut7mo ago
aaah right, forgot that its .net fx
ProIcons
ProIcons7mo ago
@mini lets experiment a bit 
public static void InitiateSSLTrust()
{
    try
    {
        //Change SSL checks so that all checks pass
        ServicePointManager.ServerCertificateValidationCallback =
           new RemoteCertificateValidationCallback(
                delegate
                { return true; }
            );
    }
    catch (Exception ex)
    {
        ActivityLog.InsertSyncActivity(ex);
    }
public static void InitiateSSLTrust()
{
    try
    {
        //Change SSL checks so that all checks pass
        ServicePointManager.ServerCertificateValidationCallback =
           new RemoteCertificateValidationCallback(
                delegate
                { return true; }
            );
    }
    catch (Exception ex)
    {
        ActivityLog.InsertSyncActivity(ex);
    }
invoke this and see if it makes any difference (do not use it) just for testing ignore the activity log
mini
miniOP7mo ago
When do I invoke it?
ProIcons
ProIcons7mo ago
on startup
mini
miniOP7mo ago
there shouldnt be any exceptions, I've tried this code before ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
ProIcons
ProIcons7mo ago
and it keeps on failing ?
mini
miniOP7mo ago
yup
ProIcons
ProIcons7mo ago
can we see the detailed exception and can you show me the SSL Cert of the remote service? mask what you have just want the CA
mini
miniOP7mo ago
The exception is just the title of the thread, there's no inner exception, nothing https://a.ppy.sh/7562902
ProIcons
ProIcons7mo ago
?
mini
miniOP7mo ago
That's the avatar server
ProIcons
ProIcons7mo ago
oh thats the service
ProIcons
ProIcons7mo ago
No description
ProIcons
ProIcons7mo ago
i presume you are on Windows?
mini
miniOP7mo ago
yup
ProIcons
ProIcons7mo ago
are you behind a proxy?
mini
miniOP7mo ago
It's worth noting that this does work on .NET 8 nop
mini
miniOP7mo ago
No description
mini
miniOP7mo ago
This did work in csharprepl I believe the issue is specifically related to <=.NET 4.8 I've read a lot about tls/ssl errors related to those older versions
cap5lut
cap5lut7mo ago
which windows version btw?
ProIcons
ProIcons7mo ago
https://dotnetfiddle.net/HxLn18
HM | C# Online Compiler | .NET Fiddle
HM | Test your C# code online with .NET Fiddle code editor.
cap5lut
cap5lut7mo ago
TLS 1.3 is supported starting in Windows 11 and Windows Server 2022. Enabling TLS 1.3 on earlier versions of Windows is not a safe system configuration.
(https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-)
ProIcons
ProIcons7mo ago
use only 1.2 SecurityProtocolType.Tls12
mini
miniOP7mo ago
tried that as well i tried all kinds of security protocols without success
ProIcons
ProIcons7mo ago
use hardcoded this code: 
using System;
using System.Net;
                    
public class Program
{
    public static void Main()
    {
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
        var Request = WebRequest.Create("https://a.ppy.sh/7562902") as HttpWebRequest;
        var Response = Request.GetResponse() as HttpWebResponse;
        Console.WriteLine(Response.StatusCode);
        
    }
}
using System;
using System.Net;
                    
public class Program
{
    public static void Main()
    {
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
        var Request = WebRequest.Create("https://a.ppy.sh/7562902") as HttpWebRequest;
        var Response = Request.GetResponse() as HttpWebResponse;
        Console.WriteLine(Response.StatusCode);
        
    }
}
on a new project maybe with net 4.8.x this works on dotnetfiddle
cap5lut
cap5lut7mo ago
this seems to be outdated or so, im on win10 and i still get TLS 1.3
ProIcons
ProIcons7mo ago
on net 4.7
mini
miniOP7mo ago
Ill try in a second. Only thing I can think of is this massive codebase having some code somewhere that messes it up. But I know for a fact that changing ServicePointManager.SecurityProtocol does have an impact on the request because if I set it to Ssl3 i get a different error
ProIcons
ProIcons7mo ago
SSL is legacy we say SSL these days but its long deprecated TLS is what we all use
mini
miniOP7mo ago
yeah I know, just saying
ProIcons
ProIcons7mo ago
is the project opensource?
mini
miniOP7mo ago
nop
ProIcons
ProIcons7mo ago
is it a UI app ?
cap5lut
cap5lut7mo ago
its osu isnt it?
mini
miniOP7mo ago
yeah It's not a game client, its a tool related to it
ProIcons
ProIcons7mo ago
Search on project for ServicePointManager and see if there are configurations applied to it
mini
miniOP7mo ago
ohhhhhhh
mini
miniOP7mo ago
No description
mini
miniOP7mo ago
but I'm overwriting it
ProIcons
ProIcons7mo ago
change it to Tls12 and try
mini
miniOP7mo ago
This is in a static constructor, which gets called before the entry point So when I had it in the entrypoint I should've overwritten it, but ill try
ProIcons
ProIcons7mo ago
also change the Expect100Continue
mini
miniOP7mo ago
ohhh it works now how did it not work before when I did the exact same in the entry point oh god I believe I know why
ProIcons
ProIcons7mo ago
maybe the flow is different than what you think
mini
miniOP7mo ago
Are static constructors on referenced libraries only ran when the first piece of code from that library is ran? Because that code is in a static constructor but not in the entry assembly
ProIcons
ProIcons7mo ago
$itdepends
MODiX
MODiX7mo ago
cap5lut
cap5lut7mo ago
when trying that it works for me in.net fx 4.8, with just tls3 it doesnt. i guess the browsers dont use the same implementation as .net fx
mini
miniOP7mo ago
yup! It runs the entry point first dang it but thanks a lot for the help
cap5lut
cap5lut7mo ago
static constructors are executed when the type is first used
mini
miniOP7mo ago
ohh
cap5lut
cap5lut7mo ago
so if u never touch a class C which has a static constructor, it will never run
mini
miniOP7mo ago
rightt it was only the static <Module>::ctor that runs before the entry point
cap5lut
cap5lut7mo ago
if it works now, dont forget to $close the thread
MODiX
MODiX7mo ago
If you have no further questions, please use /close to mark the forum thread as answered
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
ProIcons
ProIcons7mo ago
.net fx 4.8.2
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
ProIcons
ProIcons7mo ago
i don't know you sir, and i don't want to talk to you 😄
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
they are specific to the game server having turned off TLS support Before, they enforced TLS 1.0 now they enforce TLS 1.2+
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
so I had to change the code to stop enforcing TLS 1.0 that was the issue of this thread
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
maybe, but I know for a fact the game servres changed which TLS they enforce
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
i am not talking about httpclient here at all
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
yeah it was known to be bad and they eventually did upgrade now
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
although they did upgrade because the game servers got blocked in russia and changing to TLS 1.2 fixed it the game servers exist since like 2007 so I assume they never bothered to change
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
mini
miniOP7mo ago
oh now i remember server side TLS 1.0 was not enforced just supported the game client forced TLS 1.0 I believe and so did the tool I used I think because of backwards compatibility with old stuff because the game client is ooold
Unknown User
Unknown User7mo ago
Message Not Public
Sign In & Join Server To View
Want results from more Discord servers?
Add your server