I'm working with a classic asp script that I inherited. I'm trying to connect with TLS 1.2, but am having issues. I get a 500 Error when I try to run the following:
<%
Const WinHttpRequestOption_SecureProtocols = 9
Const SecureProtocol_SSL2 = 8, SecureProtocol_SSL3 = 32, _
SecureProtocol_TLS1 = 128, SecureProtocol_TLS1_1 = 512, _
SecureProtocol_TLS1_2 = 2048
Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objHttp.option(9) = 128
objHttp.open "GET", "https://howsmyssl.com/a/check", false
objHttp.Send
Response.Write objHttp.responseText
Set objHttp = Nothing
%>
If I eliminate the option(9), it runs just fine, but doesn't connect via TLS 1.2. The server registry has already been updated and a check of the server via SSL Labs (https://www.ssllabs.com/ssltest/index.html) shows that the server is all set for TLS 1.2.
This is on a Windows 2008 Server (Not R2). Any ideas on how I can get things to run TLS 1.2?
WinHttp on Windows 2008/Vista doesn't support TLS 1.1 or TLS 1.2. If I use Object Browser in Visual Studio to examine a winhttp.dll from a Windows 2008 machine you will notice in the screenshot below the WinHttpRequestSecureProtocols enum doesn't have SecureProtocol_TLS1_1 or SecureProtocol_TLS_1_2.
Compare this to a Windows 10 machine:
KB3140245 allows a registry change to default WinHttp to TLS 1.1 and/or TLS 1.2, doing so gets around the issue of not being able to set TLS 1.1 or TLS 1.2 programmatically, but there is no update for Windows 2008, only Windows 2008 R2 and higher. Windows Server 2016 supports this natively, so I would recommend updating to Server 2016 if possible.
Related
First I disable the following things in windows server 2016.
Triple DES cipher
RC4 cipher
TLS CBC Mode ciphers
TLS 1.0
TLS 1.1
Then, I reboot the server.
Finally, I call the web application which is hosted at above server from my client browser.
Here is the problem I can not connect to that web application via browser
What am I missing something?
What should I do to be able to use from end users?
Thank you.
Just turn off the windows server firewall to be able to connection from client site.
It works for me. It's not affected due to disability of above ciphers and tls.
After diabling lower security protocol versions SSL3.0, TLS1.0, TLS1.1 and enabling TLS 1.2, I am not able to connect to BizTalk group or use BizTalk server. The BizTalk server version I am using is 2013R2. Following is the error:
An attempt to connect to "BizTalkMgmtDb" SQL Server database on server "XXXXXX" failed.
Internal Error from OLEDB provider: "[DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error."
Also when I enable TLS 1.2 without disabling the lower versions I don't see any problems and everything seems working fine
Please suggest what can be done to make the server compatible while disabling lower versions
You need to install CU 8 and and also the prerequisite SQL Server 2012 Native Client version 11 as per Support for TLS 1.2 protocol in BizTalk Server
See also BizTalk: Configure TLS 1.2 on BizTalk Server
For BizTalk 2013 R2 we also installed .Net 4.6 and updated the BAM connection strings to use the SQL Server Native Client 11.
You will also have to ensure that any other endpoints that BizTalk communicates with or that communicates with BizTalk is capable of TLS 1.2, for anything using either HTTPS, FTPS or SQL.
So any SQL server you connect to also need to have SQL Server 2012 Native Client version 11 or above, and .NET 4.5 or greater.
Are you added this key on regedit?
Going to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
then Add--> New DWORD --> SchUseStrongCrypto with value 1
Needing to do same operation on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
How can I check on which TLS version our BizTalk 2016 server is running
I want to know if TLS1.2 is not enabled how can I enable the same on BizTalk 2016 server.
As BizTalk 2016 is on .Net 4.6 this tries to use TLS 1.2 first but falls back to TLS 1.1 & TLS 1.0 unless they are disabled.
MS16-065: Description of the TLS/SSL protocol information disclosure vulnerability (CVE-2016-0149): May 10, 2016
Note The .NET Framework 4.6 and later versions use TLS 1.2, TLS 1.1, and TLS 1.0 as the protocol defaults. This is discussed in the Microsoft Security Advisory 2960358 topic on the Microsoft TechNet website.
If you want to make BizTalk use TLS 1.2 exclusively you need to make sure you have either Feature Pack 2 or Feature Pack 3 (I would recommend the latest always), or if not installing feature packs, install CU 5 for BizTalk 2016. You also need to ensure that any system BizTalk connects to, including the BizTalk database server support TLS 1.2
Note there is a prerequisite:
SQL Server 2012 Native Client version 11 should be installed on all BizTalk Server systems before you apply this update. If the SQL Native Client is not installed before you apply cumulative update, the installation may not complete.
Both of those articles then link you to Support for TLS 1.2 protocol in BizTalk Server and also links leading to MS16-065: Description of the TLS/SSL protocol information disclosure vulnerability (CVE-2016-0149): May 10, 2016
I am trying to force TLS 1.2 on my login page.
I have installed .net 4.7.1. I checked this by going to the registry.
hkey_local_machine/software/Microsoft/NET Framework Setup/v4/full/release and the dword is 460805 per these instructions msdn
I have also forced tls 1.2 through my global.asax file
Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
End Sub
I also set the page up to use SSL in IIS and to use my company's cert.
Every time I access the page, Chrome states that I am using tls 1.0
Windows Server 2008 R2
Any suggestions would be helpful, thank you very much
I solved it, Since it is server 2008 r2 I had to modify the registery to turn on tls 1.2. Here are the instructions lifted from this blog
Step 2: Enable TLS 1.1 and TLS 1.2
2.1 Open registry on your server by running ‘regedit‘ in run window and navigate to below location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
2.2 Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories.
TLS-1
2.3 Now create two keys Client and Server under both TLS keys.
2.4 Now create the DWORD Values under Server and Client key as following
DisabledByDefault [Value = 0]
Enabled [Value = 1]
I have a VB.NET 4.5 application on Windows Server 2008 R2 that must connect to one of our other internal applications on a Tomcat server via TLSv1.2. According to our security scans and server config (in preparation for PCI), we can only use these ciphers on that server:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I have generated the service class from the WSDL as usual, but a Wireshark capture doesn't list any of these ciphers as an option.
My questions:
What library does Microsoft.NET use behind the scenes for TLS connections? For example, does it still use SChannel?
Is there a way for me to enable / install new ciphers for VB.NET to use?
If it's using SChannel, maybe I can do some registry changes to get it working...? Or is it possible that these ciphers are just not available on Windows Server 2008 R2?
Thanks in advance!
.NET supports them but by default .NET TLS implementation is using only SSLv3/TLSv1 and it doesn't offer those ciphers.
To enable TLSv1.1 and TLSv1.2 (not sure which one actually enabled those ciphers) use:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
This will enable TLSv1.1+ (and in process disables SSLv3) and .NET should start offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Cheers