Geeks With Blogs
Gerard van der Maaden Everything You Always Wanted to Know About Integration, BizTalk, .Net and more (But Were Afraid to Ask)

Recently I was working on a BizTalk project that included a secured (SSL) SOAP connection using a WCF-Custom send port that was pointing to the partner’s endpoint. Our send port raised an interesting exception when sending a test message to our partner:

A message sent to adapter "WCF-Custom" on send port "<SEND PORT NAME>" with URI "<PARTNER’S URL>" is suspended.
Error details: System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to <PARTNER’S URL>. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Received an unexpected EOF or 0 bytes from the transport stream.

After several hours of analysis (with the aid of some network sniffing tools) we found out that our partner was not accepting TLS 1.0 as the security protocol. Great, now what?

It seems that BizTalk (and I suppose all other .Net based solutions) executes the SSL handshakes in some sequential steps:

  1. The BizTalk send port connects to the remote endpoint using the security protocol TLS 1.0
  2. If the endpoint denies the TLS 1.0 request, BizTalk will try to use the security protocol SSL3
  3. If the endpoint accepts this, the security protocol is agreed and the connection is established.

In some occasions, when the remote system does not support TLS 1.0, it could be that the remote system immediately terminates the connection after the first step. After that BizTalk raises the error mentioned above because it expects a proper answer from the remote system (that should state that the SSL type is not supported).

The details in the error makes sense though (especially the “Received an unexpected EOF or 0 bytes from the transport stream” part): BizTalk expects an incoming stream containing the response of the SSL request, but doesn’t receive it because the remote system immediately terminates the connection after the first TLS 1.0 request.

The solution is simple: you need to override the default SSL handshake of your WCF-Custom send port by creating your own WCF custom behavior that implements the IEndpointBehavior interface.

There is actually only one line of code needed in the ApplyClientBehavior method of your custom ServiceBehavior class (which should implement the IEndpointBehavior interface) where you set the System.Net.ServicePointManager.SecurityProtocol to System.Net.SecurityProtocolType.Ssl3:

Untitled

 

And that does the trick: BizTalk will now initialize the SSL connection using SSL3 and it will avoid using TLS 1.0

More information about developing your own WCF behavior: http://msdn.microsoft.com/en-us/library/dd203050(BTS.10).aspx (scroll down to the Enabling Custom Behaviors and Configuring a Custom Behavior chapters, which includes a good explanation of a custom behavior that implements the IEndpointBehavior).

Posted on Monday, October 4, 2010 2:49 PM | Back to top


Comments on this post: TLS 1.0 and SSL3 woes in your BizTalk WCF send port

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Great Article !! , thx a lot
Left by David on Oct 04, 2010 5:18 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Very very useful for the mankind :)
Thanks a lot.
Left by Srinivas Rao on Feb 24, 2011 1:02 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
now when SSl3 needs to be disabled, so how to resolve this issue?
Left by netDev on Nov 18, 2014 9:22 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
You saved me the whole week. Thank you!
Left by adoms on Nov 21, 2014 1:59 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
This is applicable on Static Send Ports.

How can I use behavior in case of dynamic send port?

Is there a way??
Left by Vikash on May 03, 2015 4:36 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Hi Vikash, that is a good question. I would assume that you would need to configure this behavior somewhere in the WCF adapter context properties. Please see this link: https://msdn.microsoft.com/en-us/library/bb727706.aspx

regards Gerard
Left by Gerard on May 04, 2015 2:53 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
This is an awesome post. It saved me a lot of agony since google pointed me straight to your post. I wonder how did you even come up with this information of handshake etc., I wish I could deduce issues like you did. Thanks again.. esp for the links, they are super helpful.
Left by Praveen Behara on Aug 07, 2015 7:38 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Hi Gerard.. One more thing. I don't know what my destination was. But setting it to SSLv3 didn't work for me. What I did was SSLv3 | TLS | TLS1.1 | TLS1.2 and that worked. I guess, it is mostly the TLS1.2 that did the trick. Because, I had to set that in SOAP UI configuration before it could successfully make a call.
Left by Praveen Behara on Aug 07, 2015 7:42 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Thank you very much Praveen, glad I could help!
regard Gerard
Left by Gerard on Dec 02, 2016 2:55 PM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Hi Gerard,

i have same kind issue with my biztalk 2013R2 environment,

We use salesforce app for create order with my webserver, we recently update our TLS 1.0 to TLS 1.2 because Salesforce disabling 1.0 service

since we update TLS version our salesforce app in biztalk unable communicate with webserver, because it is using TLS 1.1 instead of 1.2

salesforce application in biztalk uses SOAP adapter,

how to reslove this issue please help me out

Thanks in advance
ravi
Left by rAvi on Aug 24, 2017 11:22 AM

# re: TLS 1.0 and SSL3 woes in your BizTalk WCF send port
Requesting Gravatar...
Hi Ravi, I guess you would need to switch from the SOAP adapter to WCF (basicHttp binding). then you would be able to develop a WCF behavior, as described above. I would avoid the SOAP adapter since it is marked as legacy.
Also please check out Coen Dijkgraaf's post regarding this topic: https://cdijkgraaf.wordpress.com/2016/08/16/salesforce-disabling-tls-1-0-how-to-get-it-working-for-api-calls-via-biztalk/
Left by Gerard on Aug 28, 2017 12:40 PM

Your comment:
 (will show your gravatar)


Copyright © gvdmaaden | Powered by: GeeksWithBlogs.net