Could not establish secure channel for SSL/TLS for SOAP call

Question

Our core server is calling out to a soap web service over https on a number of different servers to confirm that a transaction has completed.

The code is dotnet 3.5

Answer 1

This turned out to be an interaction between the production "core" server (the one calling the service) and the destination server (hosting the service) not sharing an acceptable https algorithm. wfetch was extremely helpful in diagnosing the issue.

It turned out the destination server was not set up to accept TLS 1.0, only SSL 3.0 was accepted.

Apparently, something changed in Windows 2008 Server which means that outbound https connections would only be acceptable using TLS 1.0 (or better, presumably).

In our case, the problem was resolved when the configuration on the destination server was changed to accept TLS. It feels like there should be a way to alter my program to force it to use SSL but I haven't found it.

Answer 2

I got the same error "Could not establish secure channel for SSL/TLS with authority 'www.xyzzy.com'." when moving an existing application including a required client certificate from one server to another. What caused the problem on the new server was that the IIS-user, in this case "IIS_WPG", didn't have have read & execute permission for the certificate just moved to the new server. Changing the certificate access permissions can be done with wsetools. /Stefan

Answer 3

On the client side, try:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;