The request was aborted: Could not create SSL/TLS secure channel.
The error “The request was aborted: Could not create SSL/TLS secure channel.” can happen during any download HTTP request. This error generally will correspond to firewalls, proxies or DNS filtering blocking the connection or an SSL/TLS cipher misconfiguration.
Topics covered in this article:
- Determine if You are Affected
- Possible Cause 1: Firewall, DNS, or Proxy Blocking Network Connections
- Possible Cause 2: Are You Using A Proxy and is It Configured Correctly?
- Possible Cause 3: Is SSL Being Limited to Specific Cryptography Protocols and Cipher Suites?
- Possible Cause 4: Windows Server 2012 Doesn’t Support New TLS Cipher Suites
- Known Issues
Possible Cause 1: Firewall, DNS, or Proxy Blocking Network Connections
The most common cause for this errors us network firewalls or security appliances blocking network connections.
If using our Publisher, the PatchMyPC.log will show the specific download URL returning the SSL/TLS error. On the machine running with the error, copy the download URL from the log and perform the following steps:
Copy the download URL from the log file
Paste and Go the URL into Internet Explorer on the machine with the error. Check if Internet Explorer returns any errors or warnings from a firewall or security appliance.
If blocked, you will need to work with your networking team to validate proper domains are whitelisted. You can find the full list of domains used for Patch My PC’s catalog, including vendor domains for content download at List of Domains for Whitelisting when Using Patch My PC’s Catalog
Possible Cause 2: Are You Using A Proxy and is It Configured Correctly?
If a proxy is required for internet access within your environment, you will need to configure it from the Advanced tab’s and apply the new settings.
If a proxy is configured, restart the Publisher for the changes to take effect.
You will also need to confirm if proxy authentication is required. If so, the Use Authentication must be checked and a login configured.
Possible Cause 3: Is SSL Being Limited to Specific Cryptography Protocols and Cipher Suites?
We have also seen issues related to customers that are only allowing specific SSL protocols and ciphers. In this scenario, we have observed the following errors when browsing out to the file download URL in internet explorer.
On Server 2019 or newer:
On Server 2016 or older:
If you receive the error below in the PatchMyPC.log and your error is similar to the Internet Explorer images above it may be related to only allowing specific SSL Ciphers.
WebClient report an error during download: The request was aborted: Could not create SSL/TLS secure channel.
On the server, check if the following registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002:Functions
If this value exists, only the SSL/TLS Ciphers in the Functions REG_MULTI_SZ value will work. If a domain is using a cipher other than ones listed, you will receive the error The request was aborted: Could not create SSL/TLS secure channel.
Limiting the SSL/TLS Ciphers is sometimes enabled as a hardening method for security. Limiting the Ciphers is not enabled by default.
To fix the download in the scenario, you need to either add Ciphers used for all downloads having issues in the Functions REG_MULTI_SZ list or remove the Functions value to set the SSL/TLS Ciphers to not be limited.
There is a third-party tool available from Qualys SSL Labs where you can paste the download URLs having the issue and the tool will show you the SSL/TLS Ciphers being used on the domain.
For example, when we used the URL https://1.na.dl.wireshark.org/win32/Wireshark-win32-3.2.2.exe, we are able to see the specific SSL/TLS ciphers being used for that domain.
These ciphers would need to be added to the Functions registry value to resolve the issue if applicable.
Possible Cause 4: Windows Server 2012 Doesn’t Support New TLS Cipher Suites
We have seen some vendors disable support for older SSL/TLS cipher suites and only support newer suites. We have found Windows Server 2012 or older may not support the newer cipher suites required.
Please see our List of Known Issues and Considerations article for products we are tracking download issues for and workarounds, we are aware of the following products that may fail to download on older server operating systems:
- Snagit and Camtasia
For products that are currently known to fail to download, refer to our Known Issues and Considerations when Using Patch My PC.