C# Enforcing HttpWebRequest to use Tls12 instead of SSLv3

MoreThanChaos picture MoreThanChaos · Oct 17, 2014 · Viewed 24k times · Source

I have App that makes use of some web service and acquire data via JSON, all was working fine for quite long time, up until latest discoveries about SSLv3 being vulnerable to man-in-the-middle attacks and server owners turning off SSLv3 for good. My application started to have problems connecting and returned error "Request was aborted: cannot establish secure SSL/TLS connection". I've tried to look for solution and found information i got to add this code before creating web request:

        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
        ServicePointManager.ServerCertificateValidationCallback = delegate{ 
                    return true;
        };

Unfortunately no luck here, app acts the same as before, and I have no clue if this code does nothing or there is still some problem with server. Error information is pretty vague and i have problem figuring where things go wrong.

Here is my code

        ...
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
        request.ContentType = GetRequestContentType();
        request.Method = method.ToString();
        request.Credentials = GetCredential(url);
        request.PreAuthenticate = true;
        CookieContainer cookieContainer = new CookieContainer();
        request.CookieContainer = cookieContainer;
        ...

I want to ask how to set Tls12 to be used as default and ensure that at my end request I make is with desired protocol.

If I confirm that my app at my end works fine, is there way to get more detailed information from server response and pinpoint precise reason of error?

Thanks for all answers and suggestions.

EDIT

Second part of question is solved, I found this tool http://www.telerik.com/download/fiddler it pretty much allows to see what is going on with outgoing and incoming data. There is also thing that this tool allow to decode SSL connections, enabling this option makes that my application starts to work. I assume that this app does something that make communication between my app and destination host possible. But i do still have no idea what it could be. And how to make my app to handle these connections properly by itself.

Answer

MoreThanChaos picture MoreThanChaos · Oct 18, 2014

Being desperate made me to inspect whole source code (part responsible for getting data of the internet was 3rd party and until it worked fine there was no reason to change it) and I discovered that line

request.Credentials = GetCredential(url);

called method that in its body had

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

So all my attempts to change that value before creating httpwebrequest was overwritten. Changing SecurityProtocolType to Tls12 makes it all work now.