Develop Reference

An error occurred in the secure channel support - Classic ASP HTTP Request - iis

I have a classic ASP website running on a Windows Server 2012 box. One page makes a HTTP request to another application over https using code like this:
Sub ShopXML4http(url, inStr, outStr, method, xmlerror)
Dim objhttp
Set objhttp = Server.CreateObject ("MSXML2.ServerXMLHTTP.6.0")
objHttp.open method, url, false
If Method="POST" Then
objHttp.Send instr
Else
objHttp.Send
End if
outstr=objHttp.responseText
Set objhttp=nothing
End Sub
This code works fine almost all of the time (thousands of requests per day), but sporadically it will fail with a message like this:
Number: -2147012739
Description: An error occurred in the secure channel support
Source: msxml6.dll
The application was recently moved from an old Windows 2003 Server to the 2012 Server, and this issue never seemed to be a problem on the old server. In addition, while this error is happening on the website, I could run the exact same code in a VBScript and it works fine. Resetting the application pool seems to cause the site to be able to do the secure HTTP requests again (although it often fixes itself before I can get to the server).

I have had the exact same problem after migrating from 2003 to 2008 R2 and found the solution. Change:
Set objhttp = Server.CreateObject ("MSXML2.ServerXMLHTTP.6.0")
to:
Set objhttp = Server.CreateObject ("MSXML2.XMLHTTP.6.0")
and your problem will go away.
I tried to find the pros and cons about both objects, but haven't yet found a reason to not use XMLHTTP.

I've had the same issue and tried lots of solutions offered under a variety of posts but ultimately had no success, until now. I'll detail the solution that worked for me with reference to the problem as in my case it was PayPal. I've not opened a new post as this might not be just a paypal issue in future.
The solution is a combination of a number of stackoverflow posted solutions to similar problems but this seemed the best one to add to.
The problem
Trying to test PayPal IPN on Windows Server 2008 using classic ASP using the PayPal Sandbox returns the error "An error occurred in the secure channel support".
Why it is a problem
PayPal is requiring all communications with their systems to be as secure as possible. You will need a connection that is TLS 1.2. Windows Server 2008 is not TLS 1.2 by default.
PayPal threw some confusion into the mix by saying you need a Verisign G5 certificate, which you do for the server root but not the domain you are running your code on. I also didn't install any PayPal certificates as I don't use the API. I don't believe you need your comms from an HTTPS site either - although my domain is secured using a standard GoDaddy EV cert although I did a test on a non HTTPS site after and that worked too.
My solution
First check which kind of security your server is using via SSL Labs.
It should be TLS1.2 or higher and no other TLS's or SSL's. It must also have a SHA256 encryption.
You may need to patch the server: https://support.microsoft.com/en-us/kb/3106991.
Use IISCrypto to set the correct TLS and ciphers. I used the registry changes offered up elsewhere on stackoverflow but this did not work and actually totally screwed up my server for everything using HTTPS posts, not just my development site! IISCrypto also handles the ciphers.
Make sure your application pool is v4.5, which in itself is unclear because IIS might only offer v4.0 as an option. However this is probably actually v4.5. You can verify this via https://msdn.microsoft.com/en-us/library/hh925568(v=vs.110).aspx.
Within your code you need to use Server.CreateObject ("MSXML2.XMLHTTP.6.0"), not Server.CreateObject ("MSXML2.ServerXMLHTTP.6.0") as mentioned above.
Now I've no idea why the non-server XMLHTTP works as that seems contrary to the documentation behind it. Right now, after 10 days of stress, panic and frustration I don't care! I hope this is useful for others.
Finding the solution was a nightmare so I'll add some phrases below to help others if searching:
PayPal IPN failing with server error
PayPal SSL Windows 2008 errors
An error occurred in the secure channel support
classic ASP PayPal Sandbox SSL errors
I'd like to publicly thank Rackspace and GoDaddy for their help with this. I'd like to publicly state that I found paypal have the worst technical support ever and just do not care, constantly pointing to their own docs, if they ever respond. They say they've been sending emails out about this since September 2014 but I never received one. These new requirements are active on the PayPal Sandbox but go live in September 2016. I only came across it as developing a new solution so needed the sandbox - if you're running live you won't know about the problem until it hits and then you're dead in the water. Test your entire payment system on the PayPal sandbox asap is my advice!!

None of the answers above applies to my situation. Then I hopped on the link here:
https://support.microsoft.com/en-za/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
This update provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1.
Applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections that use the WINHTTP_OPTION_SECURE_PROTOCOLS flag can't use TLS 1.1 or TLS 1.2 protocols. This is because the definition of this flag doesn't include these applications and services.
This update adds support for DefaultSecureProtocols registry entry that allows the system administrator to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used.
This can allow certain applications that were built to use the WinHTTP default flag to be able to leverage the newer TLS 1.2 or TLS 1.1 protocols natively without any need for updates to the application.
This is the case for some Microsoft Office applications when they open documents from a SharePoint library or a Web Folder, IP-HTTPS tunnels for DirectAccess connectivity, and other applications by using technologies such as WebClient by using WebDav, WinRM, and others.
This update will not change the behavior of applications that are manually setting the secure protocols instead of pass the default flag.
Client service on Windows 2008 R2 server outbound to server over TLS reciprocated the error in question. I thought it could be cipher suite compatibility. Wireshark trace indicated version in Client Hello request was TLS 1.0 but server requires TLS 1.2. The cipher suites sent to outbound server from client service were fine. The problem is the client service or application on Windows server default employs the system default, which is not TLS 1.2.
The solution is to add a registry subkey named DefaultSecureProtocols with a value corresponding to which TLS version(s) should be supported. Add said registry subkey, with type DWORD, to the following locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
For Internet Explorer fix, you can add a similar registry subkey titled SecureProtocols, also with type DWORD, to the following locations:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Below you can find the table of values for both subkeys:
DefaultSecureProtocols Value Protocol enabled
0x00000008 Enable SSL 2.0 by default
0x00000020 Enable SSL 3.0 by default
0x00000080 Enable TLS 1.0 by default
0x00000200 Enable TLS 1.1 by default
0x00000800 Enable TLS 1.2 by default
For example:
The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.
Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00.
I applied 0x00000A00 as the value for both subkeys and it successfully resolved the issue.
There is also an Easy Fix (link is here: https://aka.ms/easyfix51044) available from Microsoft, if you don't wish to manually enter registry subkeys and values.

It's all valid however the 'critical' missing bit for TLS1.2 support on Windows 7 with IIS7.5 and classic asp is setting this in the registry:-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800
I hope that saves you a day of faffing, rebooting and head scratching! :)
This code snippet is useful for testing. https://www.howsmyssl.com/
<%
Set winhttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
winhttp.open "GET", "https://howsmyssl.com/a/check", False
winhttp.Send
Response.Write winhttp.responseText
%>

In a Windows Server 2016 Classic ASP script, fetching an HTTPS URL from Windows Server 2012 R2, I recently had to remove SSL 2.0 from SecureProtocols in order to stop this secure channel error -2147012739.
' Use the latest client
Set httpClient = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
' allow only TLS 1.2 or TLS 1.1
Const WHR_SecureProtocols = 9
httpClient.Option(WHR_SecureProtocols) = &h0800 + &h0200
' Other values: TLS 1.0 &h0080, SSL 3.0 &h0020, SSL 2.0 &h0008
' NB Including SSL 2.0 stops https to Windows Server 2012 R2 working
' Other options you may want to set, from https://learn.microsoft.com/en-us/windows/desktop/winhttp/winhttprequestoption
' Ignore certificate errors
Const WHR_SslErrorIgnoreFlags = 4
httpClient.Option(WHR_SslErrorIgnoreFlags) = &h3300
' Don't bother checking cert, or risking failure if we can't check
Const WHR_EnableCertificateRevocationCheck = 18
httpClient.Option(WHR_EnableCertificateRevocationCheck) = False

Troubleshooting error codes:
-2147012739 is a HRESULT.
In hexadecimal that's 0x80072F7D.
Look at the LOWORD: 0x2F7D.
Convert that back to decimal: 12157.
Lookup 12157 error codes.
Find that it matches: ERROR_WINHTTP_SECURE_CHANNEL_ERROR
A bit of Google-fu finds http://msdn.microsoft.com/en-us/library/windows/desktop/aa383770(v=vs.85).aspx which states:
ERROR_WINHTTP_SECURE_CHANNEL_ERROR
12157
Indicates that an error occurred having to do with a secure channel (equivalent to error codes that begin with "SEC_E_" and "SEC_I_" listed in the "winerror.h" header file).
However, you already discovered this as the message you got was "Description: An error occurred in the secure channel support". So this leads us right back where we started.
The other observation I make is that your code is a non-asynchronous WinHTTP request (I know it has to be to function inside ASP), but, the concern is, due to the high frequency, your machine could be processing more than one WinHTTP request concurrently. I've seen some Windows deliberately throttle the total number of active concurrent WinHTTP request by blocking the late requests. For example, on a Windows 7 machine a process cannot make more than 2 concurrent requests to the same remote server. i.e. The 3rd, 4th... requests will be blocked until the first two complete.
One solution is to load balance incoming request over more than one application pool or over more servers.

We had a variation on this issues and it really cost us some time to figure it out.
Here is the situation: An older Linux server hosting an application written in PHP and provides data through webservice calls. The server is using HTTPS. Calls from various clients are made with code using the winHTTP 5.2 library. (Winhttp.dll)
Symptom: Our clients are now getting sporadic error messages when making repeated winHTTP calls using a ‘POST’ command. The messages are either ‘The buffers supplied to a function was to small.‘ or ‘An error occurred in the secure channel support ‘. After much searching we discovered that the client’s server was logging ‘Schannel Event ID 36887 alert code 20’ in the Event Viewer that corresponded with the visible error message.
Solution: We discovered that our old Linux server could not support TLS 1.2. (CentOS 5.11) We also learned that several of our clients had recently (summer 2016) applied an update to their Microsoft servers. (Server 2008, server 2012) The fix was to force their servers to use TLS 1.1 for the webservice calls. The part that is rather strange to me is that the settings in Internet Explorer for changing the TLS had no effect on the problem. However by changing a setting in Group Policies we were able to solve the problem. Our technical advisor on this matter pointed out that the change is really obscure, but that a third-party vendor has provided a quick solution. That tool is called IIS Crypto from Nartac. https://www.nartac.com/Products/IISCrypto/Download
The tool lets you specifically select Protocols.
We are now getting a new server to host our applications (CentOS 6) and then should be able to use the TLS 1.2 protocol!

I encountered this error a few months ago myself. Most often, this issue is caused by an invalid SSL cert. Considering that at the time of the post you had just migrated to a new server, you probably just need to reinstall the SSL certificate.
I realize this question is old, but hopefully someone else can benefit from my answer.

Related

I have HTTP Version set to 2.0, but App Service is acting like it is not.
I'm using https://tools.keycdn.com/http2-test to test and it says Negative! <site> does not support HTTP/2.0.
Chrome is also using HTTP/1.1.
It looks like this is affecting all apps in the App Service Plan. I have 2 currently and neither have working HTTP/2. I added a third and it doesn't support HTTP/2 either. I have HTTPS setup on both apps and my requests are using HTTPS.
I've tried all sorts of combinations of changing the setting and restarting. I've tried stopping both apps and then restarting them.

I contacted Azure support and they found an issue with the server my app service was hosted on. They were able to fix the issue and it is working now.

I test in my site and get the same error message with you. However after waiting for serveral minutes, it will turn to HTTP/2.
As you have tested, go to App Service's Application Settings and set the HTTP version to 2.0. It may caused by the response delay.
If you want to ensure it, as Zahid said, you could refer to this blog to check if the http20Enable attibute value is true.

Azure is just starting releasing the full HTTP/2 support.
HTTP/2 is supported as HTTP Server on AppService but the ILB (Reverse-proxy) router doesn't support on the client side the HTTP/2.
So the HTTP/2 is not available end to end because of the internal reverse-proxy (ARR) but they are migration on YARP Project with support HTTP/2 and gRPC.

I'm able to get an unsecured FTP Client/Server system going, but when I try throwing in the SSL io handlers, setting up both apps to use sslvTLSv1, it shows Connected for the Client status then eventually times out (the only Server message I get is Socket Error # 10060).

After many trials and tribulations trying to resolve this issue, I've determined that there are serious problems with enabling a certificate-less security system; meaning that, if you want it secured (with the current Indy code), you need to use certificates. Perhaps there are some settings in the SSL component that need to be made, but there just isn't specific enough info (working examples of certificate-less SSL) to make this work. Hopefully this deadlock will be resolved in a future release of Indy ;)

For over a year I have been running a photo based website that allows customers to order prints, which are subsequently fulfilled by a printing company. Orders are posted in XML format to a designated URL. Recently it has come to my attention that the orders are not being post and I have found the following error when examining the server logs:
[Mon Dec 01 21:17:38 2014] [error] [client XXX] cURL error: [35] Cannot communicate securely with peer: no common encryption algorithm(s).
The tech team for the printing company was able to provide me with some direction, but I remain confused. Initially they informed me that the server currently supports SSLv2, SSLv3 and TLS 1.0 only, and that it was likely that we only have TLS 1.2 enabled on our end. They claimed that nothing was changed on their end, and I personally know that nothing has been modified on ours for months.
When I originally encountered the problem I attempted to update the server packages, but this failed to resolve the problem. Later I thought that perhaps the issue revolved around the security groups for the Amazon EC2 instance, but I am not entirely sure. How would I go about enabling TLS 1.0, assuming it is not already enabled? How would I check what transport layer securities and secure socket layers are currently enabled? Any other suggestions?

If you can route the traffic through an HTTP proxy, you can install Fiddler and see what is in the TLS negotiation info:

By default on most systems libcurl already speaks TLS 1.0 fine if that's what the server wants.
I rather suspect your problem is that the server insists on using a cipher for this URL that libcurl won't agree to. More specifically, I would suspect it is an RC4-using cipher and RC4 is deemed insecure and is disabled by default by libcurl.

We are experiencing the following error when trying to use an external web service from our application deploy under IIS 7.5.
Error - The underlying connection was closed: Could not establish secure channel for SSL/TLS.
This works from other servers, but on this particular one it fails. This started happening when the server we are trying to connect with disallowed SSL connections and is only accepting TLS. As described in this link http://support.microsoft.com/kb/915599 we changed the registry, but are still seeing the error. Please see the attached image of the registry to make sure this was done properly. It seems like IIS is still trying to use the SSL protocol. I'm a bit confused where in the communication process IIS selects the protocol, SSL vs TLS. Maybe there's something that needs to be done to ensure TLS is selected? Other ideas?

This was fixed at the code level by adding the following line -
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

Website started life originally under IIS 6 and the site worked great there. Now after relocating to a new server running W2K8S, everything but mail delivery from the website now works great under IIS 7.
Researched briefly on the Web to see if anybody had a good resolution, but no avail... Not even a glimmer of hope on Microsoft's own support site.
Here are the steps taken so far on the new W2K8S box:
Added the feature for SMTP under the Server Manager
Enabled SMTP e-mail for the site itself in IIS 7 Manager to deliver e-mail to SMTP server local host, unsuccessful
Enabled SMTP e-mail for the root site in IIS 7 Manager (not sure if that needs to be on to enable sites) to deliver e-mail to SMTP server local host, unsuccessful
After failing those basic setups, I wanted to be sure I can actually talk from/to the serveron port 25. And I can successfully telnet from/to the server in question to a test e-mail on port 25 get a HELO, etc. So I do not believe it is a firewall config issue.
The IIS 7 setup test was performed with both anonymous and Windows authentication - no luck either way.
Manually checked Web Config file and it reflects correct entry for the server to use the localhost.
Read the manual and no luck there either... :-/

I faced the same problem.
I came across this link http://www.frontpagewebmaster.com/m-215289/tm.htm
and I was able to solve the issue. Go to the last post of this link.
In my case I solve problem by giving rights to "NETWORK SERVICE" user to the "Pickup" folder.
Hope this might help....

OK, to the post that said "give NETWORK USER the write rights to the pickup folder" it finally works. What I did was:
You need to use a "smart host" unless you are running exchange server. I am using a Gmail account, Gmail allows SMTP forwarding.
You can use Windows authentication for security on the SMTP server and the IIS7 config setting.
First step, set the delivery method = "network" in your web page, and get your smart host configured independently of the SMTP server.
SmtpClient client = new SmtpClient("smtp.gmail.com", 587);
client.DeliveryMethod = SmtpDeliveryMethod.Network;
client.UseDefaultCredentials = false; // use your smart host login client.Credentials = new NetworkCredential("xxxxx#gmail.com", "password");
client.EnableSsl = true;
This will send the email directly and bypass your SMTP server.
Second step, once you have that working, write a sample windows app to use your SMTP server independent of your web page, and get that working.
SmtpClient client = new SmtpClient("your server ip", 25);
client.DeliveryMethod = SmtpDeliveryMethod.PickupDirectoryFromIis;
client.EnableSsl = false; // you can't use ssl with a pickup folder
client.UseDefaultCredentials = true; // use windows credentials
This will bypass your web page and make sure you have your SMTP server configured properly.
Finally, get your web page working, by setting the sharing on your pickup folder to allow write access to NETWORK_SERVICE. Transfer the login info from step 3, into your SMTP settings, set authentication to integrated security, and use the code in step 4 for your web page.

I had exactly the same problem as described in this old question. Finally I found a solution to it. In my case the operation system is W2008 R2 with IIS 7.5, but I think this doesn’t matter.
The underlying problem is that the SMTP Service in W2008 R2 seems to be a legacy part of the IIS. It is installed with the IIS 6.0 administration tools, side by side to the IIS 7.X Server. This causes two derived problems:
IIS 7.X knows nothing about the SMTP service. If you configure SMTP in ASP.NET to use the PickupDirectoryFromIis this results in an exception. Therefore you can’t use this SMTP configuration:
<smtp deliveryMethod="PickupDirectoryFromIis" />
But it is possible to configure SMTP with SpecifiedPickupDirectory, You can use this configuration:
<smtp deliveryMethod="SpecifiedPickupDirectory">
<specifiedPickupDirectory pickupDirectoryLocation="C:\inetpub\mailroot\Pickup" />
</smtp>
If you configure the pickup directory in this way, you may run into a second kind of problem: IIS6 and IIS7.X have different security systems. IIS 7.X introduces integrated security with application pool identities. IIS 6.0 and its SMTP service don’t know about this. Therefore you have to grant write permissions for IIS_IUSRS to the pickup folder. In my configuration the pickup folder is C:\inetpub\mailroot\pickup.

I noticed that the event ID 4006 was refering to the domain controller ip instead of the mail server ip.
I used the iis 6 admin tool to configure a smarthost pointing to the mail server and voila! the issue was resolved.

I am not sure if this diagnostic tool can provide more insights,
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1308
This tool is for x86.

Have you checked to see if the SMTP service is accepting mail for relay from localhost? To do this, telnet from the machine in question to the local SMTP server and use SMTP commands to send a test message. The SMTP service is very picky about command formatting so you'll have to be careful when entering commands (i.e. don't use backspace to correct typographical errors).

Is this, by chance, an old "classic" ASP app relying on CDONTS to send mail?
If so, perhaps one of these links would be helpful?
Edited: I had replied before noticing the note on the original post. Disregard...

I came across this post when researching getting SMTP running on my ASP.Net app we're migrating from IIS6 to IIS7. What I found was we didn't have to set up the SMTP SERVER at all - simply setting up SMTP Email was enough - with the additional benefit of NOT having the security concerns of SMTP relaying thru the web server!
so if you don't need your web server to actually do the SMTP routing, you don't have to set up the server at all in IIS7.