Login/Register
An error occurred in the secure channel support - Classic ASP HTTP Request
Asked Answered
iisasp-classicxmlhttprequestwindows-server-2012
P

9

32

I have a classic ASP website running on a Windows Server 2012 box. One page makes a HTTP request to another application over https using code like this:

Sub ShopXML4http(url, inStr, outStr, method, xmlerror)
  Dim objhttp
  Set objhttp = Server.CreateObject ("MSXML2.ServerXMLHTTP.6.0")
  objHttp.open method, url, false
  If Method="POST" Then
    objHttp.Send instr
  Else
    objHttp.Send
  End if   
  outstr=objHttp.responseText
  Set objhttp=nothing
End Sub

This code works fine almost all of the time (thousands of requests per day), but sporadically it will fail with a message like this:

Number: -2147012739

Description: An error occurred in the secure channel support

Source: msxml6.dll

The application was recently moved from an old Windows 2003 Server to the 2012 Server, and this issue never seemed to be a problem on the old server. In addition, while this error is happening on the website, I could run the exact same code in a VBScript and it works fine. Resetting the application pool seems to cause the site to be able to do the secure HTTP requests again (although it often fixes itself before I can get to the server).

Posterity answered 25/1, 2014 at 19:10 Comment(11)
I was able to verify that on the same application pool I was able to successfully do the exact same request in a ASP.NET page code-behind while it was giving the error in the Classic ASP page.Posterity
I just tried converting the classic ASP page from the MSXML2.ServerXMLHTTP object to WinHttp.WinHttpRequest.5.1. Again that works fine for many requests, but eventually it also got the secure channel support error.Posterity
Now I changed the site over from integrated mode to classic mode in order to have it run more like IIS 6. Still the issue has happened at least twice in the last 24 hours.Posterity
I suppose that is a network problem on level below HTTP(S). View System, Application and Security event log on both servers. Also, if it possible, modify your script for write simplest txt file, with "start time" (before open method) and "stop time" (after send method). Look at time difference when service fail. Also try call setOption method with value SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS - i don't believe that can help, but try.Conjoined
Does the request you are sending refer to the same server the script is running on?Indian
All SSL/TLS communication in Windows is handled by a DLL called schannel.dll. Full logging into the System EventLog for that dll can be enabled by creating the DWORD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging with the value 7. Read more here: support.microsoft.com/kb/260729.Weak
I couldn't send a https request to any server. I don't think this is going to get solved, and I actually removed all of the .Net code and put it into a different site in IIS. Everything works fine now.Posterity
You should check your web.config settings for Classic ASP.Excrement
In our case, it turned out to be a bad cert (still not sure what went wrong). We have 100 identical (well, apparently "nearly identical") servers, and on ONE of them, we were getting SChannel errors. They were in the Windows EventLog under SourceName=Schannel, type=Error, User=System, Message=A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10003.Hasa
It could be a problem with keepalives (i.e. the connection is resetting.) Do you see the problem happening at regular intervals of time?Toastmaster
The "Easy fix" on this page support.microsoft.com/en-us/help/3140245/… worked for me (Windows Server 2008 R2, MSXML2.ServerXMLHTTP, ASP and WScript). The fix will create the registry settings mentioned in most answers.Starlet
A
19

I have had the exact same problem after migrating from 2003 to 2008 R2 and found the solution. Change:

Set objhttp = Server.CreateObject ("MSXML2.ServerXMLHTTP.6.0")

to:

Set objhttp = Server.CreateObject ("MSXML2.XMLHTTP.6.0")

and your problem will go away.

I tried to find the pros and cons about both objects, but haven't yet found a reason to not use XMLHTTP.

Arciniega answered 29/10, 2014 at 19:11 Comment(2)
"MSXML2.XMLHTTP.6.0" doesn't support "waitForResponse" method. That's a con.Noncommittal
This approach is dangerous because you a substituting a component designed for a server-side script with a component design to work in a client-side script.Antisemite
E
8

I've had the same issue and tried lots of solutions offered under a variety of posts but ultimately had no success, until now. I'll detail the solution that worked for me with reference to the problem as in my case it was PayPal. I've not opened a new post as this might not be just a paypal issue in future.

The solution is a combination of a number of stackoverflow posted solutions to similar problems but this seemed the best one to add to.

The problem

Trying to test PayPal IPN on Windows Server 2008 using classic ASP using the PayPal Sandbox returns the error "An error occurred in the secure channel support".

Why it is a problem

PayPal is requiring all communications with their systems to be as secure as possible. You will need a connection that is TLS 1.2. Windows Server 2008 is not TLS 1.2 by default.

PayPal threw some confusion into the mix by saying you need a Verisign G5 certificate, which you do for the server root but not the domain you are running your code on. I also didn't install any PayPal certificates as I don't use the API. I don't believe you need your comms from an HTTPS site either - although my domain is secured using a standard GoDaddy EV cert although I did a test on a non HTTPS site after and that worked too.

My solution

  1. First check which kind of security your server is using via SSL Labs. It should be TLS1.2 or higher and no other TLS's or SSL's. It must also have a SHA256 encryption. You may need to patch the server: https://support.microsoft.com/en-us/kb/3106991.

  2. Use IISCrypto to set the correct TLS and ciphers. I used the registry changes offered up elsewhere on stackoverflow but this did not work and actually totally screwed up my server for everything using HTTPS posts, not just my development site! IISCrypto also handles the ciphers.

  3. Make sure your application pool is v4.5, which in itself is unclear because IIS might only offer v4.0 as an option. However this is probably actually v4.5. You can verify this via https://msdn.microsoft.com/en-us/library/hh925568(v=vs.110).aspx.

  4. Within your code you need to use Server.CreateObject ("MSXML2.XMLHTTP.6.0"), not Server.CreateObject ("MSXML2.ServerXMLHTTP.6.0") as mentioned above.

Now I've no idea why the non-server XMLHTTP works as that seems contrary to the documentation behind it. Right now, after 10 days of stress, panic and frustration I don't care! I hope this is useful for others.

Finding the solution was a nightmare so I'll add some phrases below to help others if searching:

PayPal IPN failing with server error

PayPal SSL Windows 2008 errors

An error occurred in the secure channel support

classic ASP PayPal Sandbox SSL errors

I'd like to publicly thank Rackspace and GoDaddy for their help with this. I'd like to publicly state that I found paypal have the worst technical support ever and just do not care, constantly pointing to their own docs, if they ever respond. They say they've been sending emails out about this since September 2014 but I never received one. These new requirements are active on the PayPal Sandbox but go live in September 2016. I only came across it as developing a new solution so needed the sandbox - if you're running live you won't know about the problem until it hits and then you're dead in the water. Test your entire payment system on the PayPal sandbox asap is my advice!!

Edelmiraedelson answered 25/3, 2016 at 9:21 Comment(0)
R
7

None of the answers above applies to my situation. Then I hopped on the link here:

https://support.microsoft.com/en-za/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

This update provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1.

Applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections that use the WINHTTP_OPTION_SECURE_PROTOCOLS flag can't use TLS 1.1 or TLS 1.2 protocols. This is because the definition of this flag doesn't include these applications and services.

This update adds support for DefaultSecureProtocols registry entry that allows the system administrator to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used.

This can allow certain applications that were built to use the WinHTTP default flag to be able to leverage the newer TLS 1.2 or TLS 1.1 protocols natively without any need for updates to the application.

This is the case for some Microsoft Office applications when they open documents from a SharePoint library or a Web Folder, IP-HTTPS tunnels for DirectAccess connectivity, and other applications by using technologies such as WebClient by using WebDav, WinRM, and others.

This update will not change the behavior of applications that are manually setting the secure protocols instead of pass the default flag.

Client service on Windows 2008 R2 server outbound to server over TLS reciprocated the error in question. I thought it could be cipher suite compatibility. Wireshark trace indicated version in Client Hello request was TLS 1.0 but server requires TLS 1.2. The cipher suites sent to outbound server from client service were fine. The problem is the client service or application on Windows server default employs the system default, which is not TLS 1.2.

The solution is to add a registry subkey named DefaultSecureProtocols with a value corresponding to which TLS version(s) should be supported. Add said registry subkey, with type DWORD, to the following locations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

For Internet Explorer fix, you can add a similar registry subkey titled SecureProtocols, also with type DWORD, to the following locations:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Below you can find the table of values for both subkeys:

DefaultSecureProtocols Value         Protocol enabled
0x00000008                           Enable SSL 2.0 by default
0x00000020                           Enable SSL 3.0 by default
0x00000080                           Enable TLS 1.0 by default
0x00000200                           Enable TLS 1.1 by default
0x00000800                           Enable TLS 1.2 by default

For example:

The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.

Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00.

I applied 0x00000A00 as the value for both subkeys and it successfully resolved the issue.

There is also an Easy Fix (link is here: https://aka.ms/easyfix51044) available from Microsoft, if you don't wish to manually enter registry subkeys and values.

Refuel answered 16/10, 2018 at 17:35 Comment(2)
On Windows 7, this Easy Fix works great even with MSXML2.ServerXMLHTTP.6.0 (no need to change to MSXML2.XMLHTTP.6.0). Have to reboot the machine after installing it.Doting
There's a separate question that's about how to set the registry setting. I recommended checking it out. It's a one-liner on the command-line and I can confirm that it works. superuser.com/questions/1080317/…Pastypat
D
5

In a Windows Server 2016 Classic ASP script, fetching an HTTPS URL from Windows Server 2012 R2, I recently had to remove SSL 2.0 from SecureProtocols in order to stop this secure channel error -2147012739.

' Use the latest client
Set httpClient = Server.CreateObject("WinHttp.WinHttpRequest.5.1")

' allow only TLS 1.2 or TLS 1.1
Const WHR_SecureProtocols = 9
httpClient.Option(WHR_SecureProtocols) = &h0800 + &h0200 
' Other values: TLS 1.0 &h0080, SSL 3.0 &h0020, SSL 2.0 &h0008 
' NB Including SSL 2.0 stops https to Windows Server 2012 R2 working

' Other options you may want to set, from https://learn.microsoft.com/en-us/windows/desktop/winhttp/winhttprequestoption 

' Ignore certificate errors
Const WHR_SslErrorIgnoreFlags = 4
httpClient.Option(WHR_SslErrorIgnoreFlags) = &h3300 

' Don't bother checking cert, or risking failure if we can't check
Const WHR_EnableCertificateRevocationCheck = 18
httpClient.Option(WHR_EnableCertificateRevocationCheck) = False
Daggett answered 5/9, 2018 at 20:54 Comment(1)
A more easier and powerful way to enable and disable cipher suites nowadays is to use IIS Crypto, which is regularly updated nartac.com/Products/IISCryptoSkiascope
P
4

It's all valid however the 'critical' missing bit for TLS1.2 support on Windows 7 with IIS7.5 and classic asp is setting this in the registry:-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

I hope that saves you a day of faffing, rebooting and head scratching! :)

This code snippet is useful for testing. https://www.howsmyssl.com/

<%
Set winhttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
winhttp.open "GET", "https://howsmyssl.com/a/check", False
winhttp.Send
Response.Write winhttp.responseText 
%>
Polymerization answered 12/9, 2016 at 10:52 Comment(0)
U
2

Troubleshooting error codes:

  1. -2147012739 is a HRESULT.
  2. In hexadecimal that's 0x80072F7D.
  3. Look at the LOWORD: 0x2F7D.
  4. Convert that back to decimal: 12157.
  5. Lookup 12157 error codes.
  6. Find that it matches: ERROR_WINHTTP_SECURE_CHANNEL_ERROR

A bit of Google-fu finds http://msdn.microsoft.com/en-us/library/windows/desktop/aa383770(v=vs.85).aspx which states:

ERROR_WINHTTP_SECURE_CHANNEL_ERROR

12157

Indicates that an error occurred having to do with a secure channel (equivalent to error codes that begin with "SEC_E_" and "SEC_I_" listed in the "winerror.h" header file).

However, you already discovered this as the message you got was "Description: An error occurred in the secure channel support". So this leads us right back where we started.

The other observation I make is that your code is a non-asynchronous WinHTTP request (I know it has to be to function inside ASP), but, the concern is, due to the high frequency, your machine could be processing more than one WinHTTP request concurrently. I've seen some Windows deliberately throttle the total number of active concurrent WinHTTP request by blocking the late requests. For example, on a Windows 7 machine a process cannot make more than 2 concurrent requests to the same remote server. i.e. The 3rd, 4th... requests will be blocked until the first two complete.

One solution is to load balance incoming request over more than one application pool or over more servers.

Unvoiced answered 22/4, 2014 at 13:50 Comment(0)
B
2

We had a variation on this issues and it really cost us some time to figure it out.
Here is the situation: An older Linux server hosting an application written in PHP and provides data through webservice calls. The server is using HTTPS. Calls from various clients are made with code using the winHTTP 5.2 library. (Winhttp.dll)

Symptom: Our clients are now getting sporadic error messages when making repeated winHTTP calls using a ‘POST’ command. The messages are either ‘The buffers supplied to a function was to small.‘ or ‘An error occurred in the secure channel support ‘. After much searching we discovered that the client’s server was logging ‘Schannel Event ID 36887 alert code 20’ in the Event Viewer that corresponded with the visible error message.

Solution: We discovered that our old Linux server could not support TLS 1.2. (CentOS 5.11) We also learned that several of our clients had recently (summer 2016) applied an update to their Microsoft servers. (Server 2008, server 2012) The fix was to force their servers to use TLS 1.1 for the webservice calls. The part that is rather strange to me is that the settings in Internet Explorer for changing the TLS had no effect on the problem. However by changing a setting in Group Policies we were able to solve the problem. Our technical advisor on this matter pointed out that the change is really obscure, but that a third-party vendor has provided a quick solution. That tool is called IIS Crypto from Nartac. https://www.nartac.com/Products/IISCrypto/Download The tool lets you specifically select Protocols. We are now getting a new server to host our applications (CentOS 6) and then should be able to use the TLS 1.2 protocol!

Bedizen answered 5/10, 2016 at 21:33 Comment(0)
S
1

I encountered this error a few months ago myself. Most often, this issue is caused by an invalid SSL cert. Considering that at the time of the post you had just migrated to a new server, you probably just need to reinstall the SSL certificate.

I realize this question is old, but hopefully someone else can benefit from my answer.

Sansculotte answered 30/9, 2014 at 4:52 Comment(0)
F
0

Also to assist anyone that may encounter this issue, we had similar problems after an in-place upgrade from Windows Server 2012 to 2019. The problem was some custom code that used the MSXML6 DLL. After the upgrade we started getting 12029 errors on with MSxml2.XMLHTTP.6.0 object's Send() method.

After applying Windows servicing stack and other updates, the error changed to 12157. Some experimentation using IISCrypto led us to determine that the following cipher (which was enabled under Win 2012) had to be re-enabled after the in-place upgrade disabled it.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

The version of MSXML6.DLL after the upgrade/updates was 6.30.17763.2989

Farming answered 12/12, 2023 at 20:21 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.