Could not create SSL/TLS secure channel for Facebook

Asked 15/10, 2014 at 17:35 Answered 3/11, 2014 at 20:48

I've had social sign-in using Facebook implemented in Production for some time. As of this morning, it is no longer working for me. I am getting the same error in dev (which has no SSL) and in production, which is hosted on Azure Web Sites, and does use SSL.

Here's the error I'm seeing:

[WebException: The request was aborted: Could not create SSL/TLS secure channel.] System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request) +283 System.Net.WebClient.DownloadString(Uri address) +100 DotNetOpenAuth.AspNet.Clients.FacebookClient.QueryAccessToken(Uri returnUrl, String authorizationCode) +350 DotNetOpenAuth.AspNet.Clients.OAuth2Client.VerifyAuthentication(HttpContextBase context, Uri returnPageUrl) +202 DotNetOpenAuth.AspNet.OpenAuthSecurityManager.VerifyAuthentication(String returnUrl) +411 Microsoft.Web.WebPages.OAuth.OAuthWebSecurity.VerifyAuthenticationCore(HttpContextBase context, String returnUrl) +189 Microsoft.Web.WebPages.OAuth.OAuthWebSecurity.VerifyAuthentication(String returnUrl) +139

Anyone else seeing this? My Google login continues to work just fine.

Direct answered 15/10, 2014 at 17:35 Comment(2)

Are you still using SSL3? SSL3 has been disabled on all of Facebook's endpoints due to security.stackexchange.com/questions/70719/… – Extravasate 15/10, 2014 at 17:38

Looks like I was. I tried what Mikejh99 suggested, but am still getting the same exception. – Direct 15/10, 2014 at 21:50

As Igy said, this is due to SSLv3 being disabled by Facebook because of the POODLE exploit.

I had the same thing happen to an app that connects to Twitter. I fixed it by adding this line of code to use TLS. I'm not sure this is the best solution, but it works for now.

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

EDIT: Forgot to mention this, but I added that line to Application_Start of global.asax

Vue answered 15/10, 2014 at 19:20 Comment(5)

Thanks for the edit, that helped. Unfortunately, it didn't work. I set a breakpoint to make sure that the application is indeed restarting and it is getting hit, unfortunately, I'm still getting the same exception. – Direct 15/10, 2014 at 21:48

For good measure, I also tried Tsl and Tsl11. Same result. – Direct 15/10, 2014 at 21:51

This line of code before every web request using https, worked for me. All facebook,linkedin and twitter connect/post were affected – Burress 17/10, 2014 at 11:48

As a side note, my setting kept getting reverted. I used dotPeek to add my solution folder to the assembly and then used "Find usages" on SecurityProtocol. Turns out there was a 3rd-party plugin that had it hardcoded to use Ssl3 and was causing a further problem. – Direct 20/10, 2014 at 18:33

correction: "add my solution folder to the assembly list" – Direct 20/10, 2014 at 18:40

Facebook has dropped support for SSL 3.0 across the Facebook Platform API and the Real-Time Updates API, after a vulnerability in the protocol was revealed publicly on October 14, 2014 (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html).

Old versions of the PHP SDK (Facebook PHP SDK 3.1.1 and older) that used SSL 3.0 will now no longer work.

All developers should upgrade to Facebook SDK 3.2.3 or greater. SDK 4.0.0 is recommended.

PHP SDK 3.2.3: https://developers.facebook.com/docs/reference/php/3.2.3
PHP SDK 4.0.0: https://developers.facebook.com/docs/reference/php/4.0.0
Dev Doc: https://developers.facebook.com/docs/apps/changelog#disable-ssl-v30

Va answered 16/10, 2014 at 4:10 Comment(0)

We have the same problem in a live environment. All accounts were changed at the same time:

Facebook
Twiter
LinkedIn

For twitter I think only needed would be to update Twitterizer.dll or the latest 3rd party Twitter library and check the code changes.

for LinkedIn it would be interesting to use OAuthv2 (or the last one, I do not remember the version release) but i remember it is very very difficult to solve.

For Facebook the same, change the SDK to the last one and relearn the library changes.

October 15th 2014 was planned on August that this was going to happen.

regards,

Isy

Huei answered 16/10, 2014 at 9:42 Comment(0)

why would setting the SecurityProtocol to TLS be a solution? .net should anyway negotiate the highest possible protocol with the server and if TLS is an option prefer that one over SSL, shouldn't it?!

Undershrub answered 3/11, 2014 at 20:48 Comment(1)

Yes, but I had a third party library that was overriding the default and specifically requesting SSL only. – Direct 4/11, 2014 at 2:3

Recommended topics

Hot tags