I'm trying to call a web service over HTTPS from a Windows 7 32bit system using a dot-net 4.6 and/or a self-contained single-file dot-net 7 application. But I'm getting the following exceptions:
INNEREXCEPTION
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'.
---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted.
EXCEPTION
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'.
---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted.
When i make the same call with Chrome on the same Windows 7 32bit system, the connection can be established.
CHROME REQUEST
CONNECT external-services.some.webservice.com:443 HTTP/1.1
Host: external-services.some.webservice.com:443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: 02 72 BF 00 47 70 B8 00 33 24 A7 00 5E 21 B9 00 66 5D E5 DC BE 29 00 5E C9 00 00 14 22 00 44 34
"Time": 2000-03-03 09:04:18
SessionID: B0 CE 9D 00 35 5E 00 93 00 7A F0 00 95 00 00 64 C1 00 EF 1A 00 E0 DB CE F0 03 00 46 29 F4 3C 80
Extensions:
grease (0xaaaa) empty
server_name external-services.some.webservice.com
extended_master_secret empty
renegotiation_info 00
supported_groups grease [0xbaba], x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
SessionTicket empty
ALPN h2, http/1.1
status_request OCSP - Implicit Responder
signature_algs ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512
SignedCertTimestamp (RFC6962) empty
key_share 00 29 00 00 00 01 00 00 1D 00 20 00 A9 00 00 72 33 AE CE 00 BE D9 00 00 00 65 00 27 00 EB C6 00 00 E4 AF 00 86 B0 00 00 10 0F 00
psk_key_exchange_modes 01 01
supported_versions grease [0xeaea], Tls1.3, Tls1.2, Tls1.1, Tls1.0
0x001b 02 00 02
0x4469 00 03 02 68 32
grease (0xeaea) 00
padding 168 null bytes
Ciphers:
[5A5A] Unrecognized cipher - See https://www.iana.org/assignments/tls-parameters/
[1301] TLS_AES_128_GCM_SHA256
[1302] TLS_AES_256_GCM_SHA384
[1303] TLS_CHACHA20_POLY1305_SHA256
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA
Compression:
[00] NO_COMPRESSION
CHROME RESPONSE
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 10:56:06.371
Connection: close
EndTime: 10:56:09.880
ClientToServerBytes: 1318
ServerToClientBytes: 2576
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option.
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
SessionID: 64 00 00 1C D8 00 CB A1 8D 7A DC 00 00 DF B2 00 65 C9 CC 00 1B 33 60 5A 00 0C 6F 90 00 EF 82 F9
Random: 79 29 4E 00 A1 00 DE 00 CA 21 18 00 D5 00 00 C8 69 A3 C1 58 00 00 90 BF 9A 00 4D 44 11 E2 F4 86
Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [0xC02F]
CompressionSuite: NO_COMPRESSION [0x00]
Extensions:
renegotiation_info 00
ALPN h2
ec_point_formats uncompressed [0x0]
extended_master_secret empty
Using the dot-net applications, the HandShake (or something else) cannot be made.
DOTNET REQUEST
CONNECT external-services.some.webservice.com:443 HTTP/1.1
Host: external-services.some.webservice.com:443
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: 65 00 7C 00 00 00 B9 63 00 50 BF 00 00 90 71 D1 00 39 00 D7 1B 00 BF 00 E5 BC 00 F6 00 00 71 C2
"Time": 2057-12-23 22:11:01
SessionID: empty
Extensions:
server_name external-services.some.webservice.com
elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
signature_algs sha256_rsa, sha384_rsa, sha512_rsa, sha1_rsa, sha256_ecdsa, sha384_ecdsa, sha512_ecdsa, sha1_ecdsa, sha1_dsa
extended_master_secret empty
renegotiation_info 00
Ciphers:
[C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[009F] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
[009E] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[0039] TLS_DHE_RSA_WITH_AES_256_SHA
[0033] TLS_DHE_RSA_WITH_AES_128_SHA
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[003D] TLS_RSA_WITH_AES_256_CBC_SHA256
[003C] TLS_RSA_WITH_AES_128_CBC_SHA256
[0035] TLS_RSA_AES_256_SHA
[002F] TLS_RSA_AES_128_SHA
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[006A] TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
[0040] TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
[0038] TLS_DHE_DSS_WITH_AES_256_SHA
[0032] TLS_DHE_DSS_WITH_AES_128_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA
Compression:
[00] NO_COMPRESSION
DOTNET RESPONSE
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 11:11:01.868
Connection: close
fiddler.network.https> HTTPS handshake to external-services.preprod.omni.pekao.com.pl (for #5) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted
Win32 (SChannel) Native Error Code: 0x80090326
I can see, that Chrome was able to to talk with the endpoint using the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Cipher, witch is missing in the dot-net connection.
Is there a way to configure dotnet 4.x or 7 to be able to make the call on a Windows 7 32bit system?
my code
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // also tried 1.1 and 1.0
var requestContent = File.ReadAllText(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "Assets", "request.json"));
using (var client = new HttpClient { BaseAddress = new Uri("https://external-services.some.webservice.com") })
{
var byteArray = Encoding.ASCII.GetBytes("User:Password");
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(byteArray));
var response = await client.PostAsync(new Uri("/api/calculators", UriKind.Relative), new StringContent(requestContent));
var result = await response.Content.ReadAsStringAsync();
}