Could not create SSL/TLS secure channel

steevegldev · February 10, 2020, 8:40pm

I'm trying to post index by using ApiKey and .NET library, but I got an error.

Dim auth = New ApiKeyAuthenticationCredentials("ApiKeyID", "ApiKey" )
Dim settings = New ConnectionConfiguration("CloudID", auth)
Dim client = New ElasticLowLevelClient(settings)
esResponse = client.Index(Of BytesResponse)(AxesConfig.Current.ElasticsearchIndexTransaction + "-" + NoSit, "1", PostData.Serializable(jObj))

Return

Unsuccessful () low level call on PUT: /transaction-00116/_doc/1
# Audit trail of this API call:
 - [1] BadResponse: Node: https://***.eastus2.azure.elastic-cloud.com:9243/ Took: 00:00:00.8145147
# OriginalException: Elasticsearch.Net.ElasticsearchClientException: The request was aborted: Could not create SSL/TLS secure channel.. Call: Status code unknown from: PUT /transaction-00116/_doc/1 ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.GetResponse()
   at Elasticsearch.Net.HttpWebRequestConnection.Request[TResponse](RequestData requestData)
   --- End of inner exception stack trace ---
# Request:
<Request stream not captured or already read to completion by serializer. Set DisableDirectStreaming() on ConnectionSettings to force it to be set on the response.>
# Response:

Any ideal?

forloop · February 11, 2020, 2:01am

This indicates a problem with establishing a HTTPS connection. Based on the stacktrace provided, it looks like you're targeting an older version .NET Framework that uses the older System.Net.HttpWebRequest type for HTTP.

My suspicion is that the version of .NET Framework is not configured to support the version of TLS that Elasticsearch Service on Cloud is using; If I recall correctly, the service uses TLS 1.2, which older .NET Framework versions may not be configured by default to support.

A couple of different options that I would recommend

Update to a newer .NET Framework version that supports TLS 1.2 by default
Configure ServicePointManager.SecurityProtocol to use TLS 1.2. If patches have been applied that default the OS to use TLS 1.2, then setting ServicePointManager.SecurityProtocol to SecurityProtocolType.SystemDefault will work. Otherwise, it can be set to SecurityProtocolType.Tls12 or the int value 3072
```
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
```
Bear in mind that changing this property affects TLS for all HTTPS connections from the AppDomain.

steevegldev · February 11, 2020, 4:47pm

Thanks for that complete answer. I'm still trying to figure out how to force the TLS version in VB.NET 4.6.1.

But the question I have is why APM work without issue?

steevegldev · February 11, 2020, 9:17pm

I fixed it with ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 just before client.Index

I don't know if it's the best solution, but it's working.

I tried the following without succeed:

  <runtime>
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
  </runtime>

Thanks

forloop · February 12, 2020, 12:33am

Happy it works for you! Note, you only need to call this once for the lifetime of the application and before any call is made, so somewhere in application startup is best.

I think it may be because all of .NET APM agent's HTTP calls are based on System.Net.Http.HttpClient and not System.Net.HttpWebRequest.

This implies to me that the OS may not be patched to support TLS 1.2 by default. You can check the Windows registry for SystemDefaultTlsVersions.

system · March 11, 2020, 12:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.