Error during Click Twice Update: The request was aborted: Could not create SSL/TLS secure channel.

Add-in Express™ Support Service
That's what is more important than anything else

Error during Click Twice Update: The request was aborted: Could not create SSL/TLS secure channel.
 
COMAddin Dev




Posts: 26
Joined: 2019-07-11
My Expertise Level : New-Bee : Apologies in Advance for anything Non-ADX or Obvious / Trivial

Background:
- We have a ADX Addin for which I have used Click Twice Deployment (MSI).
- Currently we, using the .Net 4.5 as the target framework.
- When we use the Click Twice Deployment for Auto-upgrades process described in the documentation on a localhost hosted "Installation Url". All works well as its a http url.

Problem:
- However, When we host the addin on to our servers which have urls like "https://download.mysite.com/abc/MyAddin4".
We get error like below :


Application Domain:    ....updater.exe
Assembly Codebase:     file:///C:/Users/../AppData/Local/.../77E0137504ED4437B438AD95A256769F78/2.0.0/....updater.exe
Assembly Full Name:    .....exe, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4416dd98f0xxx
Assembly Version:      1.0.0.0
Exception Source:      System
Exception Type:        System.Net.WebException
[B]Exception Message:     The request was aborted: Could not create SSL/TLS secure channel.[/B]
---- Stack Trace ----
   at System.Net.WebClient.DownloadFile(Uri address, String fileName)
   at System.Net.WebClient.DownloadFile(String address, String fileName)
   at AddinExpress.Projects.Common.Utilities.DownloadFile(String url, String destFile, IWebProxy proxy)
   at AddinExpress.Projects.Common.Utilities.CheckForUpdates(Object module, String url, IWebProxy proxy, String appDir, CTVersionInfo& versionInfo, String currentVersion, String currentLanguage)
   at AddinExpress.Deployment.Updater.ADXUpdaterModule.CheckForUpdates(CTVersionInfo& versionInfo)
   at AddinExpress.Deployment.Updater.UpdaterEngine.updateWorker_DoWork(Object sender)




What I know
- If I understand this problem really isn't really ADX Specific but since the download triggered using ADX Code I thought of posting here to get some expert advice handling .
- So, The problem seems to be that until .Net 4.5 the TLS 1.2 was not enabled by default and someone had to write code like this :
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
- I actually wrote a sample code to download the update manually like this using a test script and without above statement I got the same error The request was aborted: Could not create SSL/TLS secure channel.[I]

- At this point after doing lot of searching on forums & google seems I seem to have the following options:
1) Somehow Manage to add this -> [I]ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
before the DownloadFile Call. However I am not sure how to do this.
2) Use .Net 4.6 for my Project. (Which as per my reading defaults to using 1.2 TLS). We tried this but this seems to still give us the same error.
3) Have some registry entries added that will force the use of the TLS 1.2 (or whatever is the latest) something this package seem to do / document. https://github.com/TheLevelUp/pos-tls-patcher#net-4x

Now, The last option would definitely need Admin Rights to have things working So I believe its out of question. But I did add these entries manually and tested and the upgrade works if I do that.

Question
My Question is what should I be doing to resolve this ?
Any other ways I am missing ?
Posted 11 Nov, 2019 07:25:35 Top
TheNewCOMAddin Dev




Posts: 26
Joined: 2019-07-11
Do let me know any inputs on this :

Following options were explored but this has not worked out either when implemented or was not feasible for our use case - Add registry values : Since these are HKLM type and would need elevated permissions this is out of question for us. (details here: )
- Add the line like : ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; : We did confirm that this works when we manually try to download the same file via sample code.
ADX Team: Do you have any provision for this ?
- AppContext Switch Flag : We tried adding the following lines : This somehow does not seem to affect

  <appSettings>
    <add key="AppContext.SetSwitch:Switch.System.Net.DontEnableSchUseStrongCrypto" value="false"/>
    <add key="AppContext.SetSwitch:Switch.System.Net.DontEnableSystemDefaultTlsVersions" value="false"/>
   </appSettings>

We also tried a <runtime> setting:
  <runtime>
    <AppContextSwitchOverrides 
value="Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
  </runtime>
Posted 12 Nov, 2019 06:05:07 Top
Andrei Smolin


Add-in Express team


Posts: 17361
Joined: 2006-05-11
Hello COMAddin Dev,

Try the suggestion at https://stackoverflow.com/questions/2859790/the-request-was-aborted-could-not-create-ssl-tls-secure-channel; it starts with this text "In case that the client is a windows machine, a possible reason could be that the tls or ssl protocol required by the service is not activated." Does this help or not?

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 12 Nov, 2019 06:11:08 Top
TheNewCOMAddin Dev




Posts: 26
Joined: 2019-07-11
Hi Andrei,

Thanks for the reply.

Executing the following in window powershell:

PS C:\WINDOWS\system32> [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls


We do see this to be the issue as you mentioned and created a sample addin with a button to download the file and when we use the similar code to download we can replicate this issue, we see the only way around it seems to be to use :
System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; or something similar

Which seems (if I am not wrong) to for enable TLS 1.2.
So how do I tell the this to the "updater" application and force it to enable it ? Any workarounds ?

Thanks
again.
Posted 12 Nov, 2019 07:22:01 Top
TheNewCOMAddin Dev




Posts: 26
Joined: 2019-07-11
Hello ADX Team,
Kindly help us on this. Is there some provision to specify the TLS version or force the latest.

From What I understand the solutions to this problem, seem to be one of these :
1) The "Updater" application should have these in its config file so as to force use of Strong Crypto.

  <runtime>
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
  </runtime 


2) System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
or equivalent code before the DownloadFile call.

Thanks
Posted 13 Nov, 2019 06:02:22 Top
Andrei Smolin


Add-in Express team


Posts: 17361
Joined: 2006-05-11
Hello,

The updater is built using .NET 2.0 which doesn't support Tls11 and Tls12. We will think on how we would fix this. As to now, you should use a channel that supports Ssl3 or Tls only.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 13 Nov, 2019 06:11:37 Top
TheNewCOMAddin Dev




Posts: 26
Joined: 2019-07-11
Hi Andrei,

Thank you for confirming this.
Do you any any timeline for TLS1.2 support for the updater ?
Also, If you could elaborate on this "As to now, you should use a channel that supports Ssl3 or Tls only."
What options do you suggest for now.


Thanks
Posted 18 Nov, 2019 22:58:47 Top
Andrei Smolin


Add-in Express team


Posts: 17361
Joined: 2006-05-11
Hello,

TheNewCOMAddin Dev writes:
Do you any any timeline for TLS1.2 support for the updater ?


I expect a fix for this issue will be available in 3-4 weeks.

TheNewCOMAddin Dev writes:
Also, If you could elaborate on this "As to now, you should use a channel that supports Ssl3 or Tls only."


For now, you can use a server that doesn't require using TLS 1.2.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 19 Nov, 2019 05:08:29 Top
Andrei Smolin


Add-in Express team


Posts: 17361
Joined: 2006-05-11
Hello All,

An update: A new build is expected in 2-3 weeks after the New Year.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 24 Dec, 2019 06:09:54 Top