Authentication failed because the remote party has closed the transport stream

· Windows

After hardening our web servers and only allowing secure ciphers, one of the .NET applications we built no longer connected to the Apache web server.

We updated the Apache config so only the secure ciphers were allowed:

# Disallow SSLv2, SSLv3, and TLSv1
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
# Disallow RC4, 3DES, MD5, EXP, PSK, SRP, and DSS
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

When we tried to connect our client which was a .NET 4.0 application, we received this error message:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at System.Net.Security.SslState.StartRead...

After some troubleshooting, we found we needed to update from .NET 4.0 to .NET 4.5 in order to access the following security protocol types:

  • SecurityProtocolType.Tls11
  • SecurityProtocolType.Tls12

Once we upgraded the project, we could updated our line of code to allow the client to connect to the newer versions of TLS:

// Old Way
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3

// New Way
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;
author image

About Joseph Spurrier

I'm passionate about building solutions to automate tasks and improve efficiency. Tech guy. Traveler. Runner. Guitar player. Scotch and beer enthusiast. Keybase GitHub Gists LinkedIn Twitter

Share this post


Comments powered by Disqus