The request was aborted: Could not create SSL/TLS secure channel

[ekalkst]

From the application I am able to get this target to work over HTTP but over HTTPS it fails. Enabled nlog internal logging and I'm given this error:

Error SplunkHttpEventCollector(Name=Splunk): Failed to send LogEvents Exception: Splunk.Logging.HttpEventCollectorException: Failed to send request: InternalServerError ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)

Tried looking into it. Elimated TLS mismatch of servers, I have the cert that splunk originally sets up. I have a service running on the splunk server that will generate the logs that i want, pass it over to my app server and the app server uses the nlog target to send to the HEC. Looked into cipher suites but I dont think that's the issue and now drawing a blank.

[snakefoot]

@ekalkst Have you tried to configure the setting IgnoreSslErrors=true on the SplunkHttpEventCollector ?

[ekalkst]

Hello, yes I've tried adding that and I get the same error

[snakefoot]

Tried to google Could not create SSL/TLS secure channel for you, and found this:

https://stackoverflow.com/questions/32994464/could-not-create-ssl-tls-secure-channel-despite-setting-servercertificatevalida

Saying that:

if your server offers only SSLv3 and TLSv10 and your client needs TLSv12 then you will receive this error message

And you should try and change the global behavior, to see if it fixes.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Maybe the SplunkHttpEventCollector should have an option to configure its local accepted SecurityProtocol. But I guess the correct thing is to enable Tls12 on the server.

[ekalkst]

Hi again.

Both machines are running on Win Server 2016, where I believe Schannel is using tls1.2

I'll preface that my background is not programming, more infrastructure so sorry for any invalid/silly questions. The Global behavior change you suggested, I imagine is modifying the program code. The application that runs I wouldn't have the ability to modify outside of Nlog/Web.config.

Application is .net framework with IIS frontend SQL server backend. Logs get sent by a client machine to the application server and then passed with Nlog to the target(in this attempt splunk HEC)

[snakefoot]

Think you can also configure the global ssl-config for the application using web.config app.config. Try to Google it. Not expert myself.

Sent from my Samsung device

-------- Original message -------- From: ekalkst notifications@github.com Date: 13/08/2018 19:18 (GMT+01:00) To: "AlanBarber/NLog.Targets.Splunk" NLog.Targets.Splunk@noreply.github.com Cc: Rolf Kristensen sweaty1@hotmail.com, Comment comment@noreply.github.com Subject: Re: [AlanBarber/NLog.Targets.Splunk] The request was aborted: Could not create SSL/TLS secure channel (#18)

Hi again.

Both machines are running on Win Server 2016, where I believe Schannel is using tls1.2

I'll preface that my background is not programming, more infrastructure so sorry for any invalid/silly questions. The Global behavior change you suggested, I imagine is modifying the program code. The application that runs I wouldn't have the ability to modify outside of Nlog/Web.config.

Application is .net framework with IIS frontend SQL server backend. Logs get sent by a client machine to the application server and then passed with Nlog to the target(in this attempt splunk HEC)

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/AlanBarber/NLog.Targets.Splunk/issues/18#issuecomment-412595112, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AK-fnNYlEk1Dib8VbvOrYedQgcIr4gcqks5uQbTKgaJpZM4V5Qln.

[AlanBarber]

Sorry been out for a while with personal issues.

I'll work in adding a new option to define which SSL/TLS settings to permit for usage with the ServicePointManager.SecurityProtocol. We can see if that will allow you to bypass the error.

[AlanBarber]

@ekalkst I've created a new version v2.2.0-rc01 that includes a new config property

ServicePointManagerProtocols="Ssl3,Tls,Tls11,Tls12"

You can provide any option of comma separated values

give that a try to see if you can get it to work around the error you are seeing.

https://www.nuget.org/packages/NLog.Targets.Splunk/2.2.0-rc01 https://github.com/AlanBarber/NLog.Targets.Splunk/releases/tag/v2.2.0-rc01

[snakefoot]

@AlanBarber Think it is a bad idea to modify the global ServicePointManager. It will bring unwanted surprises all other doing web-requests.

[AlanBarber]

@snakefoot Yeah, not a big fan of the idea but i'd like to see if it helps with the issue then I can decided on viability of the option and how to deal with the unwanted side effects.

[ekalkst]

Hi guys,

I was able to get it to work by forcing strong crypto (based on the google) Two powershell entries:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

To check versions [Net.ServicePointManager]::SecurityProtocol

That and making sure ignoresslerrors is True

[snakefoot]

Might also be relevant: https://support.microsoft.com/help/4458166/applications-that-rely-on-tls-1-2-strong-encryption-experience-connect failures after a Windows upgrade.

[AlanBarber]

i'm going to close this out since a workaround was found.

thanks!