'Could not create SSL/TLS secure channel error' when connecting to Discourse API from Windows Server

Hi everyone,

Recently updated to 2.4.0.beta4 (1576b07a10) and since the update one of our external applications is no longer able to authenticate with the Discourse API.

The application throws a simple error of

The request was aborted: Could not create SSL/TLS secure channel.

The application is using TLS1.2, is this no longer supported?

Any thoughts on recent changes which might save me several hours of debugging the other application?

1.2 and 1.3 versions of TLS are enabled as you can test for yourself using SSL Server Test (Powered by Qualys SSL Labs)

3 Likes

Thanks @Falco - confirmed it’s still there:

Right, I’ll get debugging then, something else must have changed on our Discourse which is causing our external applications to fall over as it’s occurring on both our dev and prod environments.

I’ll see what I can work out :+1:t2:

1 Like

Turns out we had a very similar issue as described here:

Our external legacy application that connects to our Discourse API is running on an old Windows 2008 R2 server.

For whatever reason, the Windows server and the Discourse server were unable to agree on a cipher suite after the recent Discourse updates were installed earlier this week. Whether some ciphers were altered during the update, or if this issue coincided with a LetsEncrypt cert renewal at the same time, I don’t know :man_shrugging:

Anyway, rather than edit our Discourse, I was able to add a couple of cipher suites to the Windows server that they both agreed on, again with the help of the SSL Labs link that @Falco shared above :slight_smile:

2 Likes

Wow that is old! Just four months to EOL. Time to replace it I guess :sweat_smile:

3 Likes

Could this be related to your change @gerhard ?

I guess this was caused by the change of cipher suites during the upgrade to Debian. I would have expected that my addition of the elliptic curve certificate would have made this work on all older Windows systems, not just IE11. If I’m not mistaken IE11 uses the Windows crypto library… :man_shrugging:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.