TLS1.2 url give error on .Net Framework 4.6.1/4.7

I am having a strange issue with TLS1.2 test url provided by Intuit and .Net Framework 4.6.1/4.7. Since TLS1.2 will be be mandatory in sometime, we upgraded all out .Net apps to Framework 4.6.1/4.7.

Here is Intuit's TLS1.2 enabled url- https://tlstest.intuit.com/

and here is the other TLS1.2 url which I tested on the same .Net web app on Framework 4.6.1 or 4.7-

https://api-tls12.stripe.com/v1/charges

If I don’t use Fiddler then I get successful Json response for the Stripe url but for Intuit url I get this exception in .Net code- The request was aborted. Could not create secure SSL/TLS channel.

I found out one probable reason why this was happening after reading the details in this blog- http://www.dotnetexpertguide.com/2017/05/c-request-was-aborted-could-not-create.html

“But soon I realize that Chrome do not use Microsoft Schannel for it’s SSL/TLS implementation. Chrome uses BoringSSL, it’s own fork of OpenSSL, library. .NET framework uses Microsoft Schannel implementation, so to verify against Microsoft Schannel implementation, I fired up Internet Explorer. And as I rightly expected, IE was unable to connect with this website.”

I also found the exact same thing that https://tlstest.intuit.com/ is not working on IE. But this works on Edge or any other browser.

I checked fiddler and wireshark logs for the url https://tlstest.intuit.com/ when I run .Net code(4.6.1) and see that TLS1.2 channel is getting created but fails with the error –

Fiddler log for Intuit url-

Request- CONNECT tlstest.intuit.com:443 HTTP/1.1 Host: tlstest.intuit.com Connection: Keep-Alive

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2) Random: 59 BC B4 68 AA 6A EF 15 E7 A1 45 DD A9 EA F3 ED A2 1C E7 F1 19 49 D4 B4 FA 01 7D AD 88 6C AF C7 "Time": 8/31/2025 3:19:21 PM SessionID: empty Extensions: renegotiation_info 00 server_name tlstest.intuit.com elliptic_curves secp256r1 [0x17], secp384r1 [0x18] ec_point_formats uncompressed [0x0] signature_algs sha512_rsa, sha512_ecdsa, sha256_rsa, sha384_rsa, sha1_rsa, sha256_ecdsa, sha384_ecdsa, sha1_ecdsa, sha1_dsa SessionTicket empty Ciphers: [C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [009F] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 [009E] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [003D] TLS_RSA_WITH_AES_256_CBC_SHA256 [003C] TLS_RSA_WITH_AES_128_CBC_SHA256 [0035] TLS_RSA_AES_256_SHA [002F] TLS_RSA_AES_128_SHA [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [006A] TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [0040] TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [0038] TLS_DHE_DSS_WITH_AES_256_SHA [0032] TLS_DHE_DSS_WITH_AES_128_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

Compression: [00] NO_COMPRESSION

Response- HTTP/1.1 200 Connection Established FiddlerGateway: Direct StartTime: 23:19:36.838 Connection: close

fiddler.network.https> HTTPS handshake to tlstest.intuit.com (for #1) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The token supplied to the function is invalid

Win32 (SChannel) Native Error Code: 0x80090308

Fiddler log for Stripe url-

CONNECT api-tls12.stripe.com:443 HTTP/1.1 Host: api-tls12.stripe.com Connection: Keep-Alive

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2) Random: 59 BC B4 C0 C5 4A 0C 6C 0F 32 16 DD EA 56 FF 6A 0E A8 F3 99 7B F4 D3 16 F6 8D F1 04 0C C8 F2 5F "Time": 6/13/2072 1:02:49 PM SessionID: empty Extensions: renegotiation_info 00 server_name api-tls12.stripe.com elliptic_curves secp256r1 [0x17], secp384r1 [0x18] ec_point_formats uncompressed [0x0] signature_algs sha512_rsa, sha512_ecdsa, sha256_rsa, sha384_rsa, sha1_rsa, sha256_ecdsa, sha384_ecdsa, sha1_ecdsa, sha1_dsa SessionTicket empty Ciphers: [C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [009F] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 [009E] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [003D] TLS_RSA_WITH_AES_256_CBC_SHA256 [003C] TLS_RSA_WITH_AES_128_CBC_SHA256 [0035] TLS_RSA_AES_256_SHA [002F] TLS_RSA_AES_128_SHA [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [006A] TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [0040] TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [0038] TLS_DHE_DSS_WITH_AES_256_SHA [0032] TLS_DHE_DSS_WITH_AES_128_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

Compression: [00] NO_COMPRESSION

HTTP/1.1 200 Connection Established FiddlerGateway: Direct StartTime: 23:21:04.781 Connection: close

Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

Secure Protocol: Tls12 Cipher: Aes128 128bits Hash Algorithm: Sha256 256bits Key Exchange: ECDHE_RSA (0xae06) 256bits

== Server Certificate ========== [Subject] CN=api-tls12.stripe.com, O="Stripe, Inc", L=San Francisco, S=California, C=US, PostalCode=94110, STREET="3180 18th St., Suite 100", SERIALNUMBER=4675506, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization

[Issuer] CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

[Serial Number] 0E5A8662F8D94F9D09C4C03FA2196D72

[Not Before] 4/10/2017 6:00:00 PM

[Not After] 4/11/2018 6:00:00 AM

[Thumbprint] 298E219B33463A83CD4C0C1E5EAA1399AF2A024E

[SubjectAltNames] api-tls12.stripe.com

I do not see any cipher diff between the 2 fiddler logs for Intuit's and Stripe's url. Can anyone help me figure out what could be the issue? The ciphers enabled on IE11 browser are also same as Chrome or any other browser., so not sure why the url will not work on IE11 too but on other browser.

I have checked the wireshark logs and found some difference after handshake is done for both urls. But, I'm not a network expert to make out anything from it. I am not sure how I can share the wireshark logs here. Any help on the TLS1.2 issue please- why Intuit's url will not work but Stripes' works on the 4.6.1 .net framework web app?

The web app makes a simple http GET request on the above urls.