9

I've had social sign-in using Facebook implemented in Production for some time. As of this morning, it is no longer working for me. I am getting the same error in dev (which has no SSL) and in production, which is hosted on Azure Web Sites, and does use SSL.

Here's the error I'm seeing:

[WebException: The request was aborted: Could not create SSL/TLS secure channel.] System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request) +283 System.Net.WebClient.DownloadString(Uri address) +100 DotNetOpenAuth.AspNet.Clients.FacebookClient.QueryAccessToken(Uri returnUrl, String authorizationCode) +350 DotNetOpenAuth.AspNet.Clients.OAuth2Client.VerifyAuthentication(HttpContextBase context, Uri returnPageUrl) +202 DotNetOpenAuth.AspNet.OpenAuthSecurityManager.VerifyAuthentication(String returnUrl) +411 Microsoft.Web.WebPages.OAuth.OAuthWebSecurity.VerifyAuthenticationCore(HttpContextBase context, String returnUrl) +189 Microsoft.Web.WebPages.OAuth.OAuthWebSecurity.VerifyAuthentication(String returnUrl) +139

Anyone else seeing this? My Google login continues to work just fine.

Dan Friedman
  • 4,941
  • 2
  • 41
  • 65
  • Are you still using SSL3? SSL3 has been disabled on all of Facebook's endpoints due to http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability – Igy Oct 15 '14 at 17:38
  • Looks like I was. I tried what Mikejh99 suggested, but am still getting the same exception. – Dan Friedman Oct 15 '14 at 21:50

4 Answers4

14

As Igy said, this is due to SSLv3 being disabled by Facebook because of the POODLE exploit.

I had the same thing happen to an app that connects to Twitter. I fixed it by adding this line of code to use TLS. I'm not sure this is the best solution, but it works for now. 

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

EDIT: Forgot to mention this, but I added that line to Application_Start of global.asax

Mikejh99
  • 378
  • 5
  • 12
  • Thanks for the edit, that helped. Unfortunately, it didn't work. I set a breakpoint to make sure that the application is indeed restarting and it is getting hit, unfortunately, I'm still getting the same exception. – Dan Friedman Oct 15 '14 at 21:48
  • For good measure, I also tried `Tsl` and `Tsl11`. Same result. – Dan Friedman Oct 15 '14 at 21:51
  • This line of code before every web request using https, worked for me. All facebook,linkedin and twitter connect/post were affected – Rifaj Oct 17 '14 at 11:48
  • 1
    As a side note, my setting kept getting reverted. I used [dotPeek](https://www.jetbrains.com/decompiler/) to add my solution folder to the assembly and then used "Find usages" on `SecurityProtocol`. Turns out there was a 3rd-party plugin that had it hardcoded to use `Ssl3` and was causing a further problem. – Dan Friedman Oct 20 '14 at 18:33
  • correction: "add my solution folder to the assembly list" – Dan Friedman Oct 20 '14 at 18:40
0

Facebook has dropped support for SSL 3.0 across the Facebook Platform API and the Real-Time Updates API, after a vulnerability in the protocol was revealed publicly on October 14, 2014 (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html).

Old versions of the PHP SDK (Facebook PHP SDK 3.1.1 and older) that used SSL 3.0 will now no longer work.

All developers should upgrade to Facebook SDK 3.2.3 or greater. SDK 4.0.0 is recommended.

Simon Cross
  • 13,315
  • 3
  • 32
  • 26
0

We have the same problem in a live environment. All accounts were changed at the same time:

  • Facebook
  • Twiter
  • LinkedIn

For twitter I think only needed would be to update Twitterizer.dll or the latest 3rd party Twitter library and check the code changes.

for LinkedIn it would be interesting to use OAuthv2 (or the last one, I do not remember the version release) but i remember it is very very difficult to solve.

For Facebook the same, change the SDK to the last one and relearn the library changes.

October 15th 2014 was planned on August that this was going to happen.

regards,

Isy

sanchezis
  • 429
  • 4
  • 9
0

why would setting the SecurityProtocol to TLS be a solution? .net should anyway negotiate the highest possible protocol with the server and if TLS is an option prefer that one over SSL, shouldn't it?!

Matthias
  • 1,267
  • 1
  • 15
  • 27