8

When I run my app in localhost it works fine but when I publish it to Azure my request stop working. Getting the error : "The request was aborted: Could not create SSL/TLS secure channel."

I have an app that calls a external commercial Soap-API. The external API requires a client certificate to be passed along as I make the requests and it also needs my ip address to be whitelisted.

The commercial API have whitelisted the IP's that I got from my app service/properties/outgoing & virtual IP addresses in Azure enter image description here

I've added my client certificate file(.p12) to a folder in my solution and when checking the files uploaded to azure I can see it there as well.

Using RestSharp, my request looks like:

   private string RequestToBv(string pXml)
    {            
        X509Certificate2 cert = new X509Certificate2(bvCertificatePath, bvCertificatePassword);

        var client = new RestClient(mXmlApiUrl); //mXmlApiUrl = url to endpoint
        client.Timeout = -1;
        client.ClientCertificates = new X509CertificateCollection() { cert };
        var request = new RestRequest(Method.POST);
        request.AddHeader("Content-Type", "application/xml");
        request.AddParameter("application/xml", pXml, ParameterType.RequestBody);

        IRestResponse response = client.Execute(request);

        if (response.StatusCode == HttpStatusCode.OK)
        {
            return response.Content;
        }

        return "";
    }

When debugging in Azure I get StatusCode = 0 and the error message: "The request was aborted: Could not create SSL/TLS secure channel."

enter image description here

After searching stackoverflow for answers I've to add following lines of code at the top of my method:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
        ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) => true;

But I still get the same error response.

Is there any settings I need to set in Azure or install my client certificate in some way on Azure?

Additional info after comment: enter image description here

Carl Decks
  • 385
  • 4
  • 15
  • Do you get an inner exception? There should be more information about the problem there – StavSheiz Jan 26 '21 at 10:13
  • @StavSheiz I've edited my question. Is that what you look for? – Carl Decks Jan 26 '21 at 10:40
  • Yes but it seems that the inner exception is null. Which version of .net are you using? – StavSheiz Jan 26 '21 at 10:45
  • .NET Framework 4.8.4300.0 – Carl Decks Jan 26 '21 at 10:59
  • According to the documentation the API uses 2-way SSL if thats any valuable information – Carl Decks Jan 26 '21 at 11:09
  • You are using the same client certificate in localhost and in azure? and you may need to install the certificate in the machine https://www.ssl.com/how-to/install-a-ssl-certificate-on-a-microsoft-azure-web-appwebsite-and-cloud-service/ – ofir elarat Jan 28 '21 at 21:53
  • More likely than not, the server has disabled the TLS1.0 (and possibly even TLS1.1). Try with SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 or just SecurityProtocolType.Tls12; You can also find the supported versions by entering the domain for mXmlApiUrl in site like https://www.cdn77.com/tls-test – amit_g Feb 01 '21 at 05:01

2 Answers2

6

What I had to do was to convert my .p12 Certificate file to crt file, import it to Azure and then use X509Store in my code to get it. After that the handshake was successful

Carl Decks
  • 385
  • 4
  • 15
0

I was facing issue with a new function app deployment, I was getting the same error message.

I was using self hosted agent but when I used Microsoft hosted agent for deployment it worked. The problem was due to some missing TLS 1.2 settings and Configuring strong cryptography. I had to add below keys in the registry and of course a machine restart afterwards.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

And it worked as a charm afterwards. Reference

Aatif Akhter
  • 2,126
  • 1
  • 25
  • 46