Authentication failed because the remote party has closed the transport stream

· Windows

After hardening our web servers and only allowing secure ciphers, one of the .NET applications we built no longer connected to the Apache web server.

We updated the Apache config so only the secure ciphers were allowed:

# Disallow SSLv2, SSLv3, and TLSv1
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
# Disallow RC4, 3DES, MD5, EXP, PSK, SRP, and DSS
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

When we tried to connect our client which was a .NET 4.0 application, we received this error message:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at System.Net.Security.SslState.StartRead...

After some troubleshooting, we found we needed to update from .NET 4.0 to .NET 4.5 in order to access the following security protocol types:

  • SecurityProtocolType.Tls11
  • SecurityProtocolType.Tls12

Once we upgraded the project, we could updated our line of code to allow the client to connect to the newer versions of TLS:

// Old Way
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3

// New Way
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;
author image

About Joseph Spurrier

I'm passionate about building solutions to automate tasks and improve efficiency. I worked for a few companies in the digital healthcare space. My education is in forensics. Tech guy. Traveler. Runner. Guitar player. Scotch and beer enthusiast. GitHub LinkedIn Twitter Google+

Share this post


Comments powered by Disqus