0

As described in this question I'am able to connect with Swish using their test account and test certificate.

C# HttpClient with X509Certificate2 - WebException: The request was aborted: Could not create SSL/TLS secure channel

However when using my own generated certificate I still get the generic error Could not create SSL/TLS secure channel using C# HttpClient.

I have been following these guides for Swish certificate administration:

https://www.getswish.se/content/uploads/2015/11/Guide-Certifikatsadministration_20151210.pdf

https://www.getswish.se/content/uploads/2015/06/Guide-Swish-API-170324-utan-%C3%A4ndringsmarkering.pdf

Since we are using IIS I created the certificate signing request using this: IIS -> Server Certificates -> Create Certificate Request…. I choose Microsoft RSA Schannel Cryptographic Provider with a bit length of 2048 since the documentation says it should be PKCS#10 with 2048-bit RSA key. My theory is that I'm doing something wrong here. Since we are developing this now and the application is not running on a domain name yet I set Common Name to localhost. Could this be the problem and If so what value should I put there for it to work from our environments? The test certificate works without a problem as I mentioned before.

After this I pasted the value from the file created at the service https://getswishcert.bankgirot.se/ and got a PKCS#7-file back (.p7b, also tried with .pem).

I then wen't to IIS -> Server Certificates -> Complete Certificate Request… to import the file.

When imported the Certification Path and everything else looks good as far as I can tell. enter image description hereenter image description here

I also tried exporting the certificate to .pfx via MMC -> Select certificate -> right click -> All Tasks -> Export. Choose to export it with private key and password protected. Then imported it under Certificates - Current User. I can then choose the certificate in Chrome but I get the error `ERR_SSL_PROTOCOL_ERROR. The test certificate works in Chrome as well.

Ogglas
  • 62,132
  • 37
  • 328
  • 418
  • What .NET version? TLS1.2 was added in 4.5+. Most likely the bank rejects anything less. This isn't such a problem, unless you target an unsupported .NET version. The earliest supported .NET version is 4.5.2. If you have 4.0 you'll have to upgrade – Panagiotis Kanavos May 24 '17 at 09:24
  • @PanagiotisKanavos .Net 4.5.2 and forcing TLS1.2 using `ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;`. The code works with their test certificate but not with my certificate. – Ogglas May 24 '17 at 09:26
  • PS this is not a recent development either. Banks, airlines, payment providers notified everyone they'll switch to TLS1.2 two years ago, with deadlines starting 1 year ago. – Panagiotis Kanavos May 24 '17 at 09:26
  • why should it? Imagine I created my own self-signed certificate saying I'm the "Rotschild Bank of the Moon's Far side". Signed by me. If the bank performs certificate verification, your certificate will fail – Panagiotis Kanavos May 24 '17 at 09:27
  • @PanagiotisKanavos Yes I have read that. Actually many still support 1.1 as well but that is another question. – Ogglas May 24 '17 at 09:28
  • @PanagiotisKanavos According to their documentation I should send a CSR to them and then use that certificate. Or am i misunderstanding? https://www.getswish.se/content/uploads/2015/11/Guide-Certifikatsadministration_20151210.pdf – Ogglas May 24 '17 at 09:28

1 Answers1

1

Turned out the certificate was OK. The problem was that the application was trying to connect to https://mss.swicpc.bankgirot.se/ (test environment) with the live certificate instead of https://swicpc.bankgirot.se/ (live).

Found with logging from here.

Ogglas
  • 62,132
  • 37
  • 328
  • 418