I have spent hours trying to get the .NET FtpWebRequest library to communicate with my Ubuntu 16.04 FTP server using vsftpd over SSL.
No matter what I try, I always end up with the exception "A call to SSPI failed. The message received was unexpected or badly formatted."
I have tried generating client and server certificates, installing them in windows, loading them with the X509 class in .NET, toggling various client and server side options. No matter what I do, it's always the same error. I believe this has something to do with my certificate not being verified by an authority. Here are my basic questions:
1) Can .NET just ACCEPT a suspicious certificate?! Installing it 30 different ways seems to have no affect?
2) What does "a call to SSPI failed" really mean? I've read conflicting answers. I have no problem connecting with TLS/SSL via FileZilla, but .NET 4.5 just won't have it.
3) Can someone give the minimum amount of steps to have a Windows 7 client using the .NET framework connect to a Linux server using vsftpd over SSL? I strongly believe the problem lies in my Windows/.NET settings since FileZilla on my Windows machine has no problem connecting.
Thank you in advance.
Insert the line below in your vsftpd.conf:
ssl_ciphers=AES128-SHA
Related
I am making a webrequest to an 3rd party api and it was working fine. In between the certificate was changed for the API and now when i make the request from our dev environment, I am getting response as The request was aborted could not create SSL/TLS secure channel.
I tried setting different protocol in code and there is no change in the response. I was getting a different error in explorer also. But that was fixed after enabling SSL 3.
I am using httpwebrequest in the code. The initial dll was in .net 3.5 and it has been updated to .net 4.6 now.
When checking the certificate details in firefox, i can see the certificate is TLS 1.3. As far as i understand it is not supported in .net 4.6.1 as i get protocol not supported error when i set it TLS value.
The dev environment is a Windows server 2016. The same API is working in production in Microsoft cloud. Not sure about the exact server version.
Is there any way i can fix this issue.
Update
The certificate algorithm was not there in the cipher suites. Followed the below document to add the cipher suite and the issue is now resolved.
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls
Unfortunately, you cannot fix this issue yet.
The .NET Framework simply delegates to the underlying Windows platform WinINet/SChannel APIs to make outgoing HTTPS calls, and WinINet/SChannel on Windows Server 2016 has not yet been rolled out with the necessary changes to allow TLS 1.3 outgoing connections.
Applications targeting Framework 4.7.1 and later will automatically use the highest TLS version available on the OS it's running on, and fall back to lower ones if the server you're connecting to doesn't support it, so you won't need the following code (unless your current code [or a dependency] already calls it with a lower version).
If you're stuck on Framework < 4.7.1, you can prepare your code for the eventual Windows updates:
// From .NET Framework 4.8.0, simply use SecurityProtocolType.Tls13
// (or rather don't use this code at all from 4.7.1, configure the TLS versions in the OS)
const SecurityProtocolType tls13 = (SecurityProtocolType)12288;
ServicePointManager.SecurityProtocol = tls13 | SecurityProtocolType.Tls12;
(Some sites may require you to also append | SecurityProtocolType.Tls11, but those sites really should update their servers).
This SecurityProtocolType value of 12288, meaning TLS 1.3, will now be future-proof and passed on to the underlying Windows API layer, but will now throw an exception if the site you're calling only speaks TLS 1.3:
Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
This fix therefore only works after TLS 1.3 support is rolled out to Windows Server.
Windows 10 and Windows Server 1903 have experimental support for this, but if you can't upgrade your .NET Framework from 4.6, I doubt you can install a Windows Server release that uses experimental features.
For more information, see the following references:
Microsoft TLS 1.3 Support Reference
Transport Layer Security (TLS) best practices with the .NET Framework
TLS1.3 is it supported?
Protocols in TLS/SSL (Schannel SSP)
The certificate algorithm was not there in the cipher suites. Followed the below document to add the cipher suite and the issue is now resolved.
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls
The same error can be seen when web applications don’t have permissions to access certificates.
Our web application uses client certificates to authenticate against remote web services. When the certificate was reissued and installed we started to see this error.
The solution was to grant permissions to the account that the web application runs as.
On Windows:
Manage computer certificates > Certificates – Local Computer >
Personal > Certificates
Right-click the certificate > All Tasks >
Manage Private Keys
Then Add the relevant account for the app pool – in our case it was Network Services
Hope this helps someone
so I just got APN to work locally using the PushSharp library for C#. I can send it by clicking a button and see it on my phone.
The issue is when I deploy to the server, I get an error:
Failure: One or more errors occurred. -> {"aps":{"alert":"Test!","badge":1,"sound":"default","category":"none"}}
Apns notification error: 'ConnectionError'
There isn't a whole lot of information to go off of. So far, I have created a rule in Windows Firewall to allow outbound traffic on port 2195. I have also contacted my datacenter / provider and verified that the port is not blocked for outbound traffic.
I am having trouble finding specific information about this online, any advice / pointers would be appreciated.
I resolved this issue, which seems to be more of a bug with X509Certificate2 in .NET, but I figured I would document my fix here anyways because someone else may run into the same issue.
var cert = new X509Certificate2(#"C:\filepath.p12", "", X509KeyStorageFlags.MachineKeySet);
The third parameter is required on the server because by default, IIS is only allowed to get certificates out of the IIS user's key store. By passing the parameter X509KeyStorageFlags.MachineKeySet, it allows IIS to read and use certificates off of the filesystem.
I have a c# application that generates an error "The request was aborted: Could not create SSL/TLS secure channel" when it tries to save a file to a remote SharePoint server. This happens on a Windows 2012 server, but the application runs successfully from my desktop windows machine.
Also, from the dev server, I am able to connect to the SharePoint server with IE11, with only TLS 1.1 enabled.
The application has all security protocols enabled.
I also know that the application never calls the certificatevalidationcallback function.
Given these symptoms, does anyone have any idea what could be going wrong?
After quite a bit of experimentation, I found the solution, but I'm still puzzled. The solution turned out to be the use of
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls11;
which is not surprising. What is surprising is that when I was getting the error, I was using
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;
I specified both protocols because I wasn't sure which was being used by the remote server, and I thought there was no downside to allowing either protocol.
Now I'm wondering why allowing a second protocol causes the application to be unable to establish the secure channel.
I've an application written in C# (framework 4.6) that uses System.Data.SqlClient to communicate with a SQL Server 2014. This application does NOT use SSL to connect to SQL.
The connection to SQL Server fails with this error:
a connection was established but ... protocol error ... opening
session (SSL provider error 0)
On the server, I observe in the events: Schannel errors 36874 and 36888 (A TLS1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. )
I've tried to force encrypt=false in the connect string to disable any SSL option, but this does not solve the problem.
This error does not occur on all computers of the same network.
Thanks in advance for your help.
Kind regards,
Guy
We have find a solution for this problem. We need to add news keys on the registry.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
After restart of computer, problem is solved but we dont understand why somes computer would connect with tls 1.2
You may want to check on the registry settings of the computer opening up the connection to SQL server. There is a little known edit that can force all connections to be TLS 1.2.
Registry information
The gist of the fix for us was to check on these settings:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
If you want it enabled, use it as is. If you want them disabled, you can set the to 0 or delete the keys.
I'm using the code from this article just to try and get something up and running. However, I cannot seem to connect to the web sockets server once it's running.
I have tried forwarding both ports 8080 and 8181, ensuring that they are forwarded using canyouseeme, allowing the ports under my firewall, completely disabling my firewall, trying and forwarding different ports, etc.
Nothing has worked so far. Both the HTML browser page and console server application run just fine with no errors but I keep getting this error message when I try to connect through the HTML page in my browser:
Connecting to ws://localhost:8181/chat ...
Socket closed!
I have never used WebSockets before so I'm not sure if I'm missing something like if I need to install some framework, run some daemon, or what. I'm running Windows 7 64 Bit and using Visual Studio to run the solution. Not sure how to get this to work. Anyone have any ideas?
The server mentioned in that article is likely using the older Hixie protocol. If you are running a recent version of Chrome or Firefox then you are using the newer HyBi/IETF protocol. The article was written in Jun 2010 before the newer protocol was standardized and adopted.
Update:
Fleck looks like a descendant of the code in that article (via Nugget) that supports the old and new protocol variants.