Develop Reference

Connection fail in end user browser after disable weak ciphers and lower tls version in windows server

First I disable the following things in windows server 2016.
Triple DES cipher
RC4 cipher
TLS CBC Mode ciphers
TLS 1.0
TLS 1.1
Then, I reboot the server.
Finally, I call the web application which is hosted at above server from my client browser.
Here is the problem I can not connect to that web application via browser
What am I missing something?
What should I do to be able to use from end users?
Thank you.

Just turn off the windows server firewall to be able to connection from client site.
It works for me. It's not affected due to disability of above ciphers and tls.

Unable to connect to BizTalk group after enabling TLS 1.2 and disabling lower versions of SSL and TLS

After diabling lower security protocol versions SSL3.0, TLS1.0, TLS1.1 and enabling TLS 1.2, I am not able to connect to BizTalk group or use BizTalk server. The BizTalk server version I am using is 2013R2. Following is the error:
An attempt to connect to "BizTalkMgmtDb" SQL Server database on server "XXXXXX" failed.
Internal Error from OLEDB provider: "[DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error."
Also when I enable TLS 1.2 without disabling the lower versions I don't see any problems and everything seems working fine
Please suggest what can be done to make the server compatible while disabling lower versions

You need to install CU 8 and and also the prerequisite SQL Server 2012 Native Client version 11 as per Support for TLS 1.2 protocol in BizTalk Server
See also BizTalk: Configure TLS 1.2 on BizTalk Server
For BizTalk 2013 R2 we also installed .Net 4.6 and updated the BAM connection strings to use the SQL Server Native Client 11.
You will also have to ensure that any other endpoints that BizTalk communicates with or that communicates with BizTalk is capable of TLS 1.2, for anything using either HTTPS, FTPS or SQL.
So any SQL server you connect to also need to have SQL Server 2012 Native Client version 11 or above, and .NET 4.5 or greater.

Are you added this key on regedit?
Going to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
then Add--> New DWORD --> SchUseStrongCrypto with value 1
Needing to do same operation on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319

Handshake failure 40 on incoming traffic from telegram to my server

My telegram Bot doesn't receive updates anymore, Because of the last api update Which only works with tls 1.2 .
I tried with wireshark listening to check , I found that the outgoing requests are sent over tls1.2 successfully But the INCOMING ONES (updates,commands sent to my bot) fail due to HANDSHAKE FAILURE.
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
Knowing that i tried :
Enabling Tls 1.2 using Internet Options
Added client and Server Keys to SChanel entry in registry
(DisabledByDefault = 0 ; Enabled = 1)
Installed This Update kb3140245
Installed all the important updates on my windows server 2012
What should i do to solve this issue ?
Thanks for your time.

Note: This is an edited repost of my original answer, as it was deleted for being low-quality.
The issue is that in the TLS1.2 set of cipher suites, the Telegram API only accepts a limited set. Of those only TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) are supported on Windows 2012. A secure channel for SSL / TLS could not be created on create new TelegramBotClient
However Microsoft has disabled their implementations of those ciphers on Windows 2012 already in 2014 as part of a remote code execution patch: MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014
They are considered unsafe ciphers by among others Qualys SSL Labs and NARTAC.
Note that the Telegram API supports many other, more secure ciphers even TLS 1.3, but none of those are supported by any version of Windows 2012. TLS 1.3 is not supported by any Windows version at the time of writing.
In summary, this explains why the problem occurs. The bad news is that there is no good solution on Windows Server 2012. The oldest Windows Server version that supports Telegram bots currently is Windows Server 2016. I'm moving my bot to a Ubuntu 19.10 server.

VB.NET Ciphers for Web Services Clients

I have a VB.NET 4.5 application on Windows Server 2008 R2 that must connect to one of our other internal applications on a Tomcat server via TLSv1.2. According to our security scans and server config (in preparation for PCI), we can only use these ciphers on that server:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I have generated the service class from the WSDL as usual, but a Wireshark capture doesn't list any of these ciphers as an option.
My questions:
What library does Microsoft.NET use behind the scenes for TLS connections? For example, does it still use SChannel?
Is there a way for me to enable / install new ciphers for VB.NET to use?
If it's using SChannel, maybe I can do some registry changes to get it working...? Or is it possible that these ciphers are just not available on Windows Server 2008 R2?
Thanks in advance!

.NET supports them but by default .NET TLS implementation is using only SSLv3/TLSv1 and it doesn't offer those ciphers.
To enable TLSv1.1 and TLSv1.2 (not sure which one actually enabled those ciphers) use:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
This will enable TLSv1.1+ (and in process disables SSLv3) and .NET should start offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Cheers

How to add to the cipher suites available to ASP.NET HttpRequest client?

When my ASP.NET website is running on a windows 7 box, it can connect (programmatically as a "client") to an SSL-encrypted service ("server") on another windows 7 machine just fine.
But if my website is on the production box (windows server 2003), the service's windows log shows:
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
(service is using a self-signed cert created by makecert.exe, but I can't see how to make makecert allow more cipher suites... or do I install something on the 2003 boxes...? This: https://serverfault.com/questions/166750 doesn't work for me because I am not using a CSR)

The solution was to generate my certificate again, this time forcing RSA and SHA1 (though SHA1 should be the default anyway). For some reason Win Server 2k3 couldn't or wouldn't use the right ciphers with a default makecert certificate. Here is the command line that worked for me:
makecert -pe -r -ss my -sr localMachine -n "CN=domainnameoripaddressgoeshere.com" -e 01/01/2098 -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
For details see http://mgowen.com/2013/06/19/cipher-suites-issue/ and http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx .
If anyone finding this does want to know about cipher suites though, here's some stuff I found along the way that may help you:
You can add two RSA cipher suites to windows server 2003 using this hotfix: http://support.microsoft.com/kb/948963
You can see which ciphers are supported in regedit (windows registry editor) under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
You can use IIS Crypto (a free cipher config app, https://www.nartac.com/Products/IISCrypto/) to view and enable/disable ciphers (including those hotfix ciphers above).