The request was aborted: Could not create SSL/TLS secure channel.

[hgleaves-ncuadmin]

I'm running a simple .Net console app that I'm using to evaluate some logic that uses Octokit.Net.

It has been fine since I first wrote it a week ago, until a few hours ago when I began to get AggregateExceptions thrown during the call to

var repo = client.Repository.Get("myorg","myrepo).Result;

The exception has an inner exception message:

An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

What can account for this just starting to happen (consistently) all of a sudden?

In addition I use Smartgit and that too is failing to work because it is also seeing AggregateException (for example if I do a pull). I can login to Github fine but using API/tools to interact with it is suddenly failing (yes I rebooted!).

Thx

[ryangribble]

Uh oh... I presume it is probably related to this

https://developer.github.com/changes/2018-02-01-weak-crypto-removal-notice/

According to that the SSL deprecation was in place for one hour just now, and will be permanently disabled on the 22nd

Assuming you are just using the standard octokit client (with its built-in http provider) it looks like we may need to do something here ASAP

Can you please confirm

• you are using the standard octokit client (built in http client)?
• what octokit.net package version you are on
• what target framework and platform your app is (eg which framework or core version, is it console app, winforms, Web API, asp.net etc)
• is it working again now that the 1 hour test has ended?

I'm going to edit the title of this issue too btw

Thanks

[Korporal]

@ryangribble - Hi.

It did spontaneously resume around an hour or so later, I was going to mention this here but now that I see your remark I wanted to add more detail for you.

Smartgit was impacted (but oddly a coworker had no issue, perhaps his Smartgit is setup differently).

The experiment app I was working on has this Nuget package defintion:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Octokit" version="0.28.0" targetFramework="net45" />
</packages>

It is a .Net console app created in Visual Studio 2017.

The first three lines of code that do anything with Git are:

var client = new GitHubClient(new ProductHeaderValue("myappname"));
client.Credentials = new Credentials("myuserid", ConfigurationManager.AppSettings["Password"]);
var repo = client.Repository.Get("myorg", "myrepo").Result;

It was that last line above that was executing when the exception was thrown.

The console app's target framework is .Net 4.5

Do you guys think that Octokit users may have problems once we hit the 22nd Feb?

(PS I'm the same user I just have two accounts a normal one and an admin one we use for managing our company repos).

[hgleaves-ncuadmin]

@ryangribble - I'm unfamiliar with the TLS stuff, did Octokit fail for me yesterday because it has to be changed, the code must change? or is it a firewall change? a SSL certificate change?

[ptoomey3]

I'm not familiar with the details of this project. But, given it is Windows oriented, might it make use of the git credential manager for windows (whether directly or indirectly)? If so, that could be the source of the issue. As noted in the blog post, one must run version 1.14.0 (or greater) to be compatible with TLS 1.2.

[Korporal]

@ptoomey3 @ryangribble - Hi,

I've never even heard of this Git credentials manager! So far as I'm aware I do not have this installed.

Maybe this is something used by MS tools (e.g. Visual Studio) that need to manage access to Git?

[ptoomey3]

Maybe this is something used by MS tools (e.g. Visual Studio) that need to manage access to Git?

Yes, it is used by a fair number of Windows tools to manage credentials to git. So, I wouldn't be surprised if it was in use. But, I'll wait for @ryangribble to weigh in with a more informed assessment of the internals of Oktokit.net.

[haacked]

The Git Credential Manager does not come into play here. Octokit.net is a library for making https calls to the GitHub API.

The fact that those calls failed during the 1 hour window where GitHub shut down support for TLS 1 and 1.1 tells me this is an issue with making the https calls.

@Korporal @hgleaves-ncuadmin I suspect you are running on .NET 4.5. There are a few solutions.

• Upgrade to .Net 4.6+. It supports TLS 1.2 by default.
• There's a registry hack to make your machine use TLS 1.2 by default, but search for it and use it at your own risk. 💀

@ryangribble we can make Octokit set TLS 1.2 by default by running the following code very early.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Hope that helps!

[Korporal]

@haacked - Hi,

Is it the case that an app which simply performs this during its startup:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Will thereafter automatically uses TLS 1.2 whenever it makes outbound SSL connection requests?

Thx

[ryangribble]

That's correct @Korporal, as @haacked says, octokit uses the built in http client in .NET Framework, and any apps on earlier than framework 4.6 don't have TLS1.2 available by default (but it can be enabled with that snippet above).

Eventhough it only affects apps targeting earlier framework, since we do support those frameworks and github API connections won't work without this after the 22nd, we'll incorporate this into octokit and push a release soon.

Affected clients can also include the fix themselves if they can't update for whatever reason.

[Korporal]

Many thanks @ryangribble this is much appreciated!