cannot create ssl/tls channel

[katron24]

Support request

You must read the information below before you submit a support request.

The MTD API team cannot help if your query is about:

• Fraud Prevention Headers
• Issues relating to OAuth2
• Subscribing or registering to use the API Platform, MTD enrolment, de-enrolment, registration for VAT, Beta services, etc
• Issues integrating with the API Platform (e.g. setting up an application/access)
• Code examples in a given programming language
• Business-related questions or processes pre MTD
• Scheduled maintenance windows and days
• Onboarding (e.g. registering)
• Performance metrics

For any of the above, you must contact the Software Developer Support Team directly at SDSTeam@hmrc.gov.uk. The SDS Team do not monitor this repository.

This repository is for technical queries relating to the VAT API. We can help with VAT-API technical queries only.

Common support questions and answers can be found on VAT API Wiki. You can also search for previous support questions here.

[katron24]

Hi, after working for over a year my MDT application fails with 'the request was aborted: Could not create SSL/TLS secure channel'

I cannot work out what has changed. has anybody else come across this problem.

thanks Ron

[katron24]

hi the solution is the line

    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12. Thanks to anybody hat has looked at this.

in vb.net using rest.

[AlexJSH]

@katron24 Well found - i saw the original message just now and though - hmm - TLS Error.

The background is that sandbox has required TLS1.2+ since June 2020 in preparation for production environment changing to this minimum at some point 'imminently'.

Were you getting the error on sandbox or production - I'm interested if production has switched over yet as we haven't had a notification to say it has.

Thanks

Alex

[katron24]

Hi AlexJSH,

it was on the production. within the last fortnight i think.

thanks

[AlexJSH]

@katron Thanks - sounds like the security upgrade has gone live then - but i've not seen any notification of that.

[MrSent]

hi the solution is the line

    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12. Thanks to anybody hat has looked at this.

in vb.net using rest.

The issue with this is that you're hardcoding the TLS level to 1.2. When things inevitably move to 1.3 or higher it'll require a code change. The application I wrote is compiled against .NET 4.5 and from what I've read, when you make a web request, 4.5 chooses the TLS version and it defaults to 1.0. However, you can override this behaviour and tell .NET to allow the OS to decide which is how it should be done. To do that you add this into the app.config file:

<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>

This goes into /configuration/runtime

However, this doesn't seem to have any effect if you are running Windows 2008 R2 or earlier. Sadly I can't always help what OS is running on the end server. In this instance I have a branch build that includes the line of code you suggested.

Ideally you should build using .NET 4.6 or later.

For reference, info found here: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

[mPisano]

Agree +1 @MrSent - Never hard code, especially when there is an XML override.

I upgraded my project from 4.5 to 4.7 for better high DPI support not knowing that it would effect TLS enforcement. Authentication failed, lost a few hours in a sniffer and code diff's and added DontEnableSystemDefaultTlsVersions=false