I've been having issues with a tool I use to upload images to a website behind CloudFlare. This tool works fine at first, and continues functioning unless there is a > 1 hour pause between requests. After this pause, an exception occurs on the next connection attempt.
A first chance exception of type 'System.Net.WebException' occurred in System.dll
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
I attempted to use a debugger to poke into this deeper, but there was no InnerException and it seems the actual issue originated from SChannel before any connection was established. This is readily replicable using the following small program:
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Initial connection attempt, this should succeed:");
RunCFRequest();
Console.WriteLine("Wait 70 minutes for next connection attempt...");
Thread.Sleep(70*60*1000);
Console.WriteLine("Second connection attempt, this one should reproduce the failure:");
try
{
RunCFRequest();
}
catch (Exception exc)
{
Console.WriteLine(exc.ToString());
}
Console.WriteLine("Performing another connection attempt after failure to verify we continue working:");
RunCFRequest();
Console.WriteLine("Demo complete. Press any key to exit.");
Console.ReadKey();
}
private static void RunCFRequest()
{
Console.WriteLine("Attempting connection at " + DateTime.Now);
var request = (HttpWebRequest) WebRequest.Create("https://up1.ca");
using (var response = request.GetResponse())
{
using (var responseStream = response.GetResponseStream())
{
using (var streamReader = new StreamReader(responseStream))
{
string recvd = streamReader.ReadToEnd();
Console.WriteLine("Successfully read stream, got " + recvd.Length + " bytes of data");
}
}
}
}
}
Is there something wrong with this simple code? I attempted to do packet capture in order to resolve why this is occurring.
Capture is available at https://up1.ca/#4MMkdD_u8v5pLAsSvrCtHw in pcapng format.
The capture contains 3 TCP streams, they can be accessed using the following wireshark filters:
- tcp.stream eq 0 = inital connection, succeeds
- tcp.stream eq 1 = second connection after 70 minutes, this fails with the above exception
- tcp.stream eq 2 = another attempt after handling and ignoring that exception, this succeeds
Based on the capture my best guess is that it has something to do with how CloudFlare does SSL session resumption. Are there any known problems with HttpWebRequest or Microsoft SChannel itself and SSL resumption or is this issue specific to CloudFlare? I've successfully replicated this problem on multiple sites behind CloudFlare, but I have not experienced it when using my own server directly. I don't have SSL resumption though.
Any help or even wild theories are appreciated. I'm not sure where to go from here, I'd appreciate it if someone could have a look at the capture, I'll report this to CF if needed.