Getting "The SSL connection could not be established" error when connecting to a certain website

[Gnbrkm41]

Description

Using HttpClient, When attempting to make GET requests to a certain web address, the method occasionally fails with an error The SSL connection could not be established, see inner exception. where the inner exception says Exception of type 'System.Net.InternalException' was thrown. -2146892963. Occasionally is the key here - it sometimes "just works" (in the provided code below it should result in 503 Service Temporarily Unavailable when it works.)

Minimal reproducible code:

HttpClient client = new HttpClient();
await client.GetStringAsync("https://newbiepr.gitlab.io"); // Fails on this line

Exception details:

HttpRequestException4
The SSL connection could not be established, see inner exception.
Data	(0 items)
HelpLink	null
HResult	-2146233088
InnerException	InternalException4 Exception of type 'System.Net.InternalException' was thrown. -2146892963 Data (0 items) HelpLink null HResult -2146233088 InnerException null Message Exception of type 'System.Net.InternalException' was thrown. -2146892963 Source System.Net.Security StackTrace    at System.Net.SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(SECURITY_STATUS win32SecurityStatus, Boolean attachException)    at System.Net.Security.SslStreamPal.InitializeSecurityContext(SafeFreeCredentials& credentialsHandle, SafeDeleteSslContext& context, String targetName, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)    at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)    at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) TargetSite TargetSite
Message	The SSL connection could not be established, see inner exception.
Source	System.Net.Http
StackTrace	at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)    at System.Net.Http.HttpClient.GetStringAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)    at UserQuery.Main(), line 2
StatusCode	null

Configuration

Windows version: Windows 10 Pro Insiders Preview Build 21364 (Dev ring), x64, Korean
.NET SDK used: 5.0.200-preview.21077.7

Regression?

As far as I can tell it can be reproduced on .NET Framework 4.8 that's installed on my Windows as well, albeit with a different error message:

HttpRequestException4
An error occurred while sending the request.
Data	IDictionary (1 item)4 Key Value LINQPad.LineNumber 6
HelpLink	null
HResult	-2146233088
InnerException	WebException4 The request was aborted: Could not create SSL/TLS secure channel. Message The request was aborted: Could not create SSL/TLS secure channel. Data (0 items) InnerException null TargetSite TargetSite StackTrace    위치: System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)    위치: System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) HelpLink null Source System HResult -2146233079 Status SecureChannelFailure Response null
Message	An error occurred while sending the request.
Source	mscorlib
StackTrace	위치: System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    위치: System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)    위치: System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()    위치: UserQuery.<RunUserAuthoredQuery>d__0.MoveNext() 파일 C:\Users\gotos\AppData\Local\Temp\LINQPad5\_tjauvduk\query_uwxuos.cs:줄 41

Other information

As far as I can tell, I do not see any sort of similar errors showing up when I make the request with other tools such as curl or Edge browser.

Might be related: #44058 (although the issue was closed for insufficient info)

If you're having trouble reproducing the issue I am happy to provide packet captures for troubleshooting.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Using HttpClient, When attempting to make GET requests from a certain web address, the method occasionally fails with an error The SSL connection could not be established, see inner exception. where the inner exception says Exception of type 'System.Net.InternalException' was thrown. -2146892963. Occasionally is the key here - it sometimes "just works" (in the provided code below it should result in 503 Service Temporarily Unavailable when it works.)

Minimal reproducible code:

HttpClient client = new HttpClient();
await client.GetStringAsync("https://newbiepr.gitlab.io"); // Fails on this line

Exception details:

HttpRequestException4
The SSL connection could not be established, see inner exception.
Data	(0 items)
HelpLink	null
HResult	-2146233088
InnerException	InternalException4 Exception of type 'System.Net.InternalException' was thrown. -2146892963 Data (0 items) HelpLink null HResult -2146233088 InnerException null Message Exception of type 'System.Net.InternalException' was thrown. -2146892963 Source System.Net.Security StackTrace    at System.Net.SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(SECURITY_STATUS win32SecurityStatus, Boolean attachException)    at System.Net.Security.SslStreamPal.InitializeSecurityContext(SafeFreeCredentials& credentialsHandle, SafeDeleteSslContext& context, String targetName, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)    at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)    at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) TargetSite TargetSite
Message	The SSL connection could not be established, see inner exception.
Source	System.Net.Http
StackTrace	at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)    at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)    at System.Net.Http.HttpClient.GetStringAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)    at UserQuery.Main(), line 2
StatusCode	null

Configuration

Windows version: Windows 10 Pro Insiders Preview Build 21364 (Dev ring), x64, Korean
.NET SDK used: 5.0.200-preview.21077.7

Regression?

As far as I can tell it can be reproduced on .NET Framework 4.8 that's installed on my Windows as well, albeit with a different error message:

HttpRequestException4
An error occurred while sending the request.
Data	IDictionary (1 item)4 Key Value LINQPad.LineNumber 6
HelpLink	null
HResult	-2146233088
InnerException	WebException4 The request was aborted: Could not create SSL/TLS secure channel. Message The request was aborted: Could not create SSL/TLS secure channel. Data (0 items) InnerException null TargetSite TargetSite StackTrace    위치: System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)    위치: System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) HelpLink null Source System HResult -2146233079 Status SecureChannelFailure Response null
Message	An error occurred while sending the request.
Source	mscorlib
StackTrace	위치: System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    위치: System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)    위치: System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()    위치: UserQuery.<RunUserAuthoredQuery>d__0.MoveNext() 파일 C:\Users\gotos\AppData\Local\Temp\LINQPad5\_tjauvduk\query_uwxuos.cs:줄 41

Other information

As far as I can tell, I do not see any sort of similar errors showing up when I make the request with other tools such as curl or Edge browser.

Might be related: #44058 (although the issue was closed for insufficient info)

If you're having trouble reproducing the issue I am happy to provide packet captures for troubleshooting.

Author:	Gnbrkm41
Assignees:	-
Labels:	area-System.Net, untriaged
Milestone:	-

[Gnbrkm41]

I've also had someone running the same program on Windows 7 having a slightly different issue with the same address (the program is self-contained with some version of 5.0.x runtime, not exactly sure what it is) - here's the stack trace. I cannot reproduce the issue locally so can't really pull out much details from here but I suppose it could be related:

[vcsjones]

(in the provided code below it should result in 503 Service Temporarily Unavailable when it works.

I am able to consistently get a 503, so it "works". What .NET runtime are you targeting? I see you are using the 5.0 SDK, but it would be helpful to know if you are targeting netcoreapp3.1, net5.0, etc.

running the same program on Windows 7 having a slightly different issue with the same address

Based on the SSLLabs of this host, it has very modern TLS configuration. In particular, it only permits TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 , TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 , and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.2 (1.3 is not applicable to Windows 7). None of these cipher suites are available on Windows 7, according to the documentation. So I would expect the handshake to fail on Windows 7.

[Gnbrkm41]

What .NET runtime are you targeting?

I targeted net5.0-windows when I built my app, and when I run Environment.Version on LINQPad 6 (which was what I was using to gather info about the error) I get 5.0.2 so I expect it to use the SDK stated above when I tested it last time.

None of these cipher suites are available on Windows 7... So I would expect the handshake to fail on Windows 7.

Ah, that's something that I didn't really know about. That explains why it failed with a different error on Windows 7...

[vcsjones]

@Gnbrkm41 What happens if you try https://vcsjones.dev? My site has the same cipher suite configuration as the site you are using. If it works, then we can rule out cipher suites.

[Gnbrkm41]

I am getting the same error with your site as well (again, occasionally):

It's possible that it's something specific to my PC. Since I have a couple other PCs (one with insider builds, and one without) I can try the same thing on those as well and see if I get the same issue.

[vcsjones]

@Gnbrkm41 Are you using LinqPad 5 or 6? The 5 version is based on .NET Framework whereas 6 is based on .NET Core. Would just be another helpful datapoint.

[Gnbrkm41]

I am definitely aware of the difference between LINQPad 5 and 6 - I am using 6 for the tests, although it did fail with some different error on LINQPad 5 as well (see the top comment for the stacktrace on LINQPad 5).

Host runtime version: 3.1.13
Default query runtime version: 5.0.2
Default query reference assembly version: 5.0.0
Roslyn Version: 3.8.0-5.20562.2
FSharp.Compiler.Service version: 22.0.3.0
NuGet client version: 5.6.0.5

[Gnbrkm41]

As far as I can tell, I'm not seeing the same issue happening when targeting .NET Core 3.1 on the same machine I was testing the issue initially. When I revert back to using 5.0.2 SDK it starts happening again.

[Gnbrkm41]

What I'm finding very odd is that it works fine on console applications however on GUI apps (e.g. WPF) it seems to reproduce consistently?

csproj:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>WinExe</OutputType>
    <TargetFramework>net5.0-windows</TargetFramework>
    <UseWPF>true</UseWPF>
  </PropertyGroup>

</Project>

xaml:

<Window x:Class="WpfApp4.MainWindow"
        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
        xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
        xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
        xmlns:local="clr-namespace:WpfApp4"
        mc:Ignorable="d"
        Title="MainWindow" Height="450" Width="800">
    <Grid>
        <Button Click="Button_Click"/>
    </Grid>
</Window>

The code-behind:

using System;
using System.Diagnostics;
using System.Net.Http;
using System.Windows;

namespace WpfApp4
{
    /// <summary>
    /// Interaction logic for MainWindow.xaml
    /// </summary>
    public partial class MainWindow : Window
    {
        public MainWindow()
        {
            InitializeComponent();
        }

        private async void Button_Click(object sender, RoutedEventArgs e)
        {
            HttpClient client = new HttpClient();

            try
            {
                await client.GetStringAsync("https://vcsjones.dev");
            }

            catch (Exception ex)
            {
                MessageBox.Show($"Exception thrown: {ex}");
            }
        }
    }
}

With the most barebones GUI program I have above, I get the error I described earlier like once in every two tries.

---------------------------

---------------------------
Exception thrown: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

 ---> System.Net.InternalException: Exception of type 'System.Net.InternalException' was thrown. -2146892963

   at System.Net.SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(SECURITY_STATUS win32SecurityStatus, Boolean attachException)

   at System.Net.Security.SslStreamPal.InitializeSecurityContext(SafeFreeCredentials& credentialsHandle, SafeDeleteSslContext& context, String targetName, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)

   at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)

   at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)

   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)

   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

   --- End of inner exception stack trace ---

   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)

   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)

   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)

   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)

   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)

   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)

   at System.Net.Http.HttpClient.GetStringAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)

   at WpfApp4.MainWindow.Button_Click(Object sender, RoutedEventArgs e) in C:\Users\gotos\source\repos\WpfApp4\WpfApp4\MainWindow.xaml.cs:line 24
---------------------------
확인   
---------------------------

However I was never able to get the error to reproduce on a console application (targeting net5.0 also). Given that all the errors I've experienced was on either a WPF app (which is my own) or a WinForms app (LINQPad), could there be some common cause that's causing the issue to happen on GUI apps and not on console apps?

[vcsjones]

could there be some common cause that's causing the issue to happen on GUI apps and not on console apps?

Hmm. I was not able to reproduce that... maybe @wfurt might be aware of something.

[wfurt]

Could you force TLS 1.2 and try it again @Gnbrkm41? 3.1 would not do TLS 1.3 AFAIK. If we can show this is happening only with TLS 1.3 we would probably need Schannel trace and I can take it to the Schannel team.
(or alternatively HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client\Enabled -> 0)

[wfurt]

Note that the SEC_E_INVALID_PARAMETER is somewhat strange. There is cache for some inner SSL structures as well as the underlying TLS may or may not try to do TLS resume. Either one may explain the inconsistency behavior.