"Could not create SSL/TLS secure channel" Azure Storage .NET API error since POODLE "Could not create SSL/TLS secure channel" Azure Storage .NET API error since POODLE azure azure

"Could not create SSL/TLS secure channel" Azure Storage .NET API error since POODLE


azure ssl azure-storage

I have excactly the same problem: yesterday many companies have disabeled SSLv3 on there servers so the client has to negotiate to use TLS instead when connecting to a secure endpoint.

When running on my dev box everything works like before. But on all of my production servers i get the same exception when connecting to some servers (not all - for example graph.facebook.com, mandrillapp.com and some others show that problem).

Interesting enough, a restart of the application solved the problem for abount an hour. Then the error shows up again.

After some googling i found the line 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

To be of some help. The problem is, that seem to be a global setting and solves some but not all connection problems for me.Facebook API is working again, but mandrill for example stops working and showing the exception again after a few hours.

The problem seems to be, that the .NET HttpWebRequest class (and also the WebClient class) or the underlying https implementation have problems to negotiate the communication protocol.

I have read, that TLS is the standard protocol in .NET for a few years and SSLv3 is just used as a fallback, but nevertheless, the exception is there.

azure ssl azure-storage

I think we have found the main problem: Azure Storage, at least when being communicated with from an Azure Cloud Service (on the newest Windows platform available however), seems to

not be able to handle the Tls 1.2 security protocol.

So setting: 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // FAILS!

You must rather set:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // or Tls11 ?

It MAY not be able to handle Tls 1.1 either. I could check that, but I'm weary of having this project not working again, for even a second.

--- UPDATE ---The Azure support personnel pointed out that prior to .NET 4.5 (4.0 and earlier), the only Tls values available on this enum were simply .Tls (no Tls11, Tls12).

See msdn docs.

I'm betting the receiving end in Azure storage then (on their own internal stack that processes requests) is not using .NET 4.5 (an educated guess).

--- end update ---

No problems though on the local machine. Which makes me wonder if the client (the cloud service virtual machine hosted in azure) itself is the one lacking here.

Thus far, this seems to be working.

For detailed log information obtained from remoting into the instance, here's some obviously pertinent logs, that may help some people to hopefully address this for the future. In every case, the underlying exception was:

System.Security.Authentication.AuthenticationException // (of type: `System.ComponentModel.Win32Exception)`

And the main error emssage was:

The client and server cannot communicate, because they do not possess a common algorithm

Apparently, in this case one of them (I think the cloud service client?) can't handle Tls1.2?

Logs snippet:

    DetailID = 6    Count:    4    Type:     System.Security.Authentication.AuthenticationException    Message:  A call to SSPI failed, see inner exception.        Type:     System.ComponentModel.Win32Exception        Message:  The client and server cannot communicate, because they do not possess a common algorithm    Stack:            [HelperMethodFrame]        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)        [HelperMethodFrame]        System.Net.Security.SslState.StartSendAuthResetSignal(System.Net.Security.ProtocolToken, System.Net.AsyncProtocolRequest, System.Exception)        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ProcessReceivedBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.StartReceiveBlob(Byte[], System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ProcessAuthentication(System.Net.LazyAsyncResult)        System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)        System.Net.TlsStream.Write(Byte[], Int32, Int32)        System.Net.ConnectStream.WriteHeaders(Boolean)        System.Net.HttpWebRequest.EndSubmitRequest()        System.Net.Connection.CompleteConnection(Boolean, System.Net.HttpWebRequest)        System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest)        System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState)        System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest, Boolean)        System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)        System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)        System.Net.HttpWebRequest.GetRequestStream(System.Net.TransportContext ByRef)        System.Net.HttpWebRequest.GetRequestStream()        Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[[System.__Canon, mscorlib]](Microsoft.WindowsAzure.Storage.Core.Executor.RESTCommand`1<System.__Canon>, Microsoft.WindowsAzure.Storage.RetryPolicies.IRetryPolicy, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromStreamHelper(System.IO.Stream, System.Nullable`1<Int64>, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromByteArray(Byte[], Int32, Int32, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadText(System.String, System.Text.Encoding, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        ... my own project's calls begin here ...        DetailID = 7    Count:    4    Type:     System.Security.Authentication.AuthenticationException    Message:  A call to SSPI failed, see inner exception.        Type:     System.ComponentModel.Win32Exception        Message:  The client and server cannot communicate, because they do not possess a common algorithm    Stack:            [HelperMethodFrame]        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)        [HelperMethodFrame]        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)        [HelperMethodFrame]        System.Net.Security.SslState.StartSendAuthResetSignal(System.Net.Security.ProtocolToken, System.Net.AsyncProtocolRequest, System.Exception)        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ProcessReceivedBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.StartReceiveBlob(Byte[], System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ProcessAuthentication(System.Net.LazyAsyncResult)        System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)        System.Net.TlsStream.Write(Byte[], Int32, Int32)        System.Net.ConnectStream.WriteHeaders(Boolean)        System.Net.HttpWebRequest.EndSubmitRequest()        System.Net.Connection.CompleteConnection(Boolean, System.Net.HttpWebRequest)        System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest)        System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState)        System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest, Boolean)        System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)        System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)        System.Net.HttpWebRequest.GetRequestStream(System.Net.TransportContext ByRef)        System.Net.HttpWebRequest.GetRequestStream()        Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[[System.__Canon, mscorlib]](Microsoft.WindowsAzure.Storage.Core.Executor.RESTCommand`1<System.__Canon>, Microsoft.WindowsAzure.Storage.RetryPolicies.IRetryPolicy, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromStreamHelper(System.IO.Stream, System.Nullable`1<Int64>, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromByteArray(Byte[], Int32, Int32, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadText(System.String, System.Text.Encoding, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        ... my own project's calls begin here ...    DetailID = 8    Count:    4    Type:     System.Security.Authentication.AuthenticationException    Message:  A call to SSPI failed, see inner exception.        Type:     System.ComponentModel.Win32Exception        Message:  The client and server cannot communicate, because they do not possess a common algorithm    Stack:            [HelperMethodFrame]        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)        [HelperMethodFrame]        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)        [HelperMethodFrame]        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)        [HelperMethodFrame]        System.Net.Security.SslState.StartSendAuthResetSignal(System.Net.Security.ProtocolToken, System.Net.AsyncProtocolRequest, System.Exception)        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ProcessReceivedBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.StartReceiveBlob(Byte[], System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.StartSendBlob(Byte[], Int32, System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ForceAuthentication(Boolean, Byte[], System.Net.AsyncProtocolRequest)        System.Net.Security.SslState.ProcessAuthentication(System.Net.LazyAsyncResult)        System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)        System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)        System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)        System.Net.TlsStream.Write(Byte[], Int32, Int32)        System.Net.ConnectStream.WriteHeaders(Boolean)        System.Net.HttpWebRequest.EndSubmitRequest()        System.Net.Connection.CompleteConnection(Boolean, System.Net.HttpWebRequest)        System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest)        System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState)        System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest, Boolean)        System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)        System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)        System.Net.HttpWebRequest.GetRequestStream(System.Net.TransportContext ByRef)        System.Net.HttpWebRequest.GetRequestStream()        Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[[System.__Canon, mscorlib]](Microsoft.WindowsAzure.Storage.Core.Executor.RESTCommand`1<System.__Canon>, Microsoft.WindowsAzure.Storage.RetryPolicies.IRetryPolicy, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromStreamHelper(System.IO.Stream, System.Nullable`1<Int64>, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadFromByteArray(Byte[], Int32, Int32, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.UploadText(System.String, System.Text.Encoding, Microsoft.WindowsAzure.Storage.AccessCondition, Microsoft.WindowsAzure.Storage.Blob.BlobRequestOptions, Microsoft.WindowsAzure.Storage.OperationContext)        ... my own project's calls begin here ...

The answer by Jan technically gives the right solution in the end, but it doesn't give the real cause, which is the real bugger here (as I said in the comments, I was already setting this, just I happened to set a higher value, to Tls12 instead). So while I always would prefer to not give my own answer over someone else's, I think this is more preferred and helpful for others struggling with this exact same problem (indeed, when I saw his answer, it didn't even register to me as even being different than what I was doing). Thanks to Jan for the help though.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last