我最近也遇到了同样的问题。我的环境运行在。net 4.6.1和VB.NET下。这就是我解决问题的方法:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3
ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf util.ValidateServerCertificate)

还有util。ValidateServerCertificate函数为:

Public Function ValidateServerCertificate(ByVal sender As Object, ByVal certificate As X509Certificate, ByVal chain As X509Chain, ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
    Return True
End Function

确保ServicePointManager设置是在创建HttpWebRequest之前完成的，否则它将无法工作。

工作原理:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
       | SecurityProtocolType.Tls11
       | SecurityProtocolType.Tls12
       | SecurityProtocolType.Ssl3;

HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com/api/")

失败:

HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com/api/")

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
       | SecurityProtocolType.Tls11
       | SecurityProtocolType.Tls12
       | SecurityProtocolType.Ssl3;

正如你所知道的，有很多原因可能会发生这种情况。我想我应该加上我遇到的原因…

如果你设置了WebRequest的值。Timeout到0，这是抛出的异常。下面是我的代码…(只是超时值不是硬编码的0，而是一个被无意中设置为0的参数)。

WebRequest webRequest = WebRequest.Create(@"https://myservice/path");
webRequest.ContentType = "text/html";
webRequest.Method = "POST";
string body = "...";
byte[] bytes = Encoding.ASCII.GetBytes(body);
webRequest.ContentLength = bytes.Length;
var os = webRequest.GetRequestStream();
os.Write(bytes, 0, bytes.Length);
os.Close();
webRequest.Timeout = 0; //setting the timeout to 0 causes the request to fail
WebResponse webResponse = webRequest.GetResponse(); //Exception thrown here ...

我知道这是晚回答，但当我试图从win server 2012 R2(客户端)调用API(托管在win server 2016上)时，我遇到了同样的问题

经过大量调查，该问题与操作系统级别的握手问题有关，特别是主机服务器不支持来自客户端的密码列表。

当我使用Wireshark跟踪连接时，我知道了这个问题，我发现不支持发送的密码。

windows server 2012 R2对可能导致TLS/SSL握手的新密码的支持有限。

起点是当我看到这个错误“从远程端点收到致命警报。TLS协议定义的致命警报代码在事件查看器中为40”(事件查看器>>自定义视图>>管理事件))

默认的。net ServicePointManager。SecurityProtocol使用SSLv3和TLS协议。如果您正在访问Apache服务器，有一个名为SSLProtocol的配置变量，默认为TLSv1.2。您可以设置ServicePointManager。使用您的web服务器支持的适当协议或更改您的Apache配置以允许所有协议，如SSLProtocolall。

The top-voted answer will probably be enough for most people. However, in some circumstances, you could continue getting a "Could not create SSL/TLS secure channel" error even after forcing TLS 1.2. If so, you may want to consult this helpful article for additional troubleshooting steps. To summarize: independent of the TLS/SSL version issue, the client and server must agree on a "cipher suite." During the "handshake" phase of the SSL connection, the client will list its supported cipher-suites for the server to check against its own list. But on some Windows machines, certain common cipher-suites may have been disabled (seemingly due to well-intentioned attempts to limit attack surface), decreasing the possibility of the client & server agreeing on a cipher suite. If they cannot agree, then you may see "fatal alert code 40" in the event viewer and "Could not create SSL/TLS secure channel" in your .NET program.

The aforementioned article explains how to list all of a machine's potentially-supported cipher suites and enable additional cipher suites through the Windows Registry. To help check which cipher suites are enabled on the client, try visiting this diagnostic page in MSIE. (Using System.Net tracing may give more definitive results.) To check which cipher suites are supported by the server, try this online tool (assuming that the server is Internet-accessible). It should go without saying that Registry edits must be done with caution, especially where networking is involved. (Is your machine a remote-hosted VM? If you were to break networking, would the VM be accessible at all?)

在我公司的案例中，我们通过注册表编辑启用了几个额外的“ECDHE_ECDSA”套件，以修复当前的问题并防范未来的问题。但是如果你不能(或不愿意)编辑注册表，那么很多变通办法(不一定漂亮)就会出现在你的脑海中。例如:你的. net程序可以将它的SSL通信委托给一个单独的Python程序(它本身也可以工作，因为同样的原因，Chrome请求可能成功，而MSIE请求在受影响的机器上失败)。