0

I'm trying to integrate Apple Pay on our production website. I managed to complete the implementation on my local machine and successfully tested it with an Apple sandbox account. However, when we ported the integration to our production environment, on the merchant validation step, it fails with this error: "Could Not Create SSL/TLS Secure Channel".

Some information:

  • We checked multiple times that the merchant ID, domain name and all other parameters we send for merchant validation are correct
  • Our production server supports TLS1.2 and the cipher suites required by Apple pay to work
  • The domain validation has been done
  • The TLS certificate we send for the merchant validation has been created in compliance with the Apple documentation guidelines and the server process has the right permissions to access it
  • We explicitly set the security protocol as TLS 1.2 in the code
  • We tried turning off the firewall but it didn't change anything
  • Our server uses .NET version 4.5.2

The certificate for TLS handshake is a .pfx file that we made by combining the .pem and .key files obtained during the certificate creation procedure as described in the documentation. We add the certificate directly into the web request via code, like this (vb.net):

 ServicePointManager.Expect100Continue = True
 ServicePointManager.SecurityProtocol = CType(12288, SecurityProtocolType) Or CType(3072, SecurityProtocolType) Or CType(768, SecurityProtocolType) Or SecurityProtocolType.Tls

 Dim _request As HttpWebRequest = HttpWebRequest.Create(_validationUrl)
 Dim _certFile As String = Path.Combine(applePayCertificatePath, applePayCertificateName)
 Dim _certificate As New X509Certificate2(_certFile, applePayCertificatePassword)

 _request.ClientCertificates = New X509CertificateCollection({_certificate})
 _request.ClientCertificates.Add(_certificate)

We searched all the web for a solution but we can't seem to find one. It looks like a server configuration/networking issue since, as I said, it works perfectly on my local machine.

Any insight on the matter would be greatly appreciated.

Thanks

mgiambi
  • 1
  • 1
  • You don't *explicitly set the security protocol as TLS 1.2* here, you explicitly set `TSL 1.3` and all other SSL versions. Try to set only `TLS 1.2` or `SystemDefault`. Check with Wireshark or Fiddler what you actually negotiate. – Jimi Jun 14 '22 at 12:12
  • @Jimi yes I already done what you suggest, but it doesn't change anything. In any case, my server supports TLS 1.3 as well as 1.2, and the Apple Pay documentation states that the minimum TLS version required is 1.2 but it supports higher versions as well. If I explicitly set TLS 1.2 it uses 1.2, unfortunately I already checked. – mgiambi Jun 14 '22 at 12:21
  • *Check with Wireshark or Fiddler what you actually negotiate*, which can also show when the TLS connection is cut off and which part does it. -- Set `ServicePointManager.Expect100Continue = false`, so you send the packet with the request directly, unless the service explicitly instruct to leave it set to `true` (the default) -- Why are you setting `SecurityProtocolType` by number? What .Net version are **you** targeting? Looks like very old code. – Jimi Jun 14 '22 at 12:30
  • IIRC, TLS 1.3 has experimental support (on demand) in Windows Server 2019 (not sure what build, but above 1809), but you should have .Net Fx 4.8 there. Full support is added to Windows Server 2022. – Jimi Jun 14 '22 at 12:49
  • The comments in this [post](https://stackoverflow.com/questions/72598838/consume-web-service-in-vb-net-solved) may be helpful. – Tu deschizi eu inchid Jun 14 '22 at 16:52

0 Answers0