I have several services written with ASP.NET 4.5.2 that fetch data from an external web service. These services have worked perfectly without error for a year or so. However, the third-party supplier has recently restricted their API to requests from clients using TLS 1.1 or higher.
Our services have been failing as they are being rejected by the extrnal web service. I have checked the server we use to host our service - Windows Server 2012 R2 - and this has TLS 1.1 and 1.2 configured (I have checked the registry keys). So surely our .NET service requests should default to one of those?
The fact our services are still being rejected suggests we are still sending our requests using TLS 1.0.
How can I check if our services are using TLS 1.1 or higher? How can I enable the services to use TLS 1.1 or higher?
You can use below tool to check the TLS protocols that the client's host name is supporting.
https://www.ssllabs.com/ssltest/analyze.html
Go to this Qualys SSL Labs, enter the client host name (ex: abdc.com).
Once report is generated, scroll down to Configuration section.
You will find the status of TLS 1.0/1.1/1.2/1.3/SSL3/SSL2
To understand the relation between .Net framework & TLS, refer below link.
https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/
The fact our services are still being rejected suggests we are still sending our requests using TLS 1.0.
In this case you are are using TLS as a client, not a server to connect to a remote service.
I have several services written with ASP.NET 4.5.2
There are registry keys you need to change for the .NET Framework 4.5.2 in order for TLS 1.2 to be used. This is documented here in the .NET TLS guide.
Perhaps the easiest thing to do would just be to move to the latest version of the .NET Framework. If that is not possible, you can do as the guide says
Set the SchUseStrongCrypto and SystemDefaultTlsVersions registry keys to 1.
Related
I'm building an API in Visual Studio using ASP.NET Core Web Application, but since a couple of days ago it doesn't work anymore. When I run the API from Visual Studio using IIS Express I get an error in the browser: "ERR_CONNECTION_RESET".
The application does work when I disable SSL, but it should (and before did) work with SSL enabled.
Things I've tried:
Change port (within the correct range)
Delete localhost certificate and repair Visual Studio, prompting the creation of a new SSL certificate
Deleted the .VS file and restarted VS in administrator mode
Delete applicationhost.config and restarted VS in administrator mode
Created a fresh application with a working pre build WeatherAPI, but that has the same problem aswel
Ran SSL Diagnostics using Jexus and got the following
System Time: 18/06/2020 14:40:58
Processor Architecture: AMD64
OS: Microsoft Windows NT 10.0.18363.0
Server Type: IIS Express
SERVER SSL PROTOCOLS
PCT 1.0:
PCT 1.0 is not secure. OS default is used. You might explicitly disable it via registry.
SSL 2.0:
SSL 2.0 is not secure. OS default is used. You might explicitly disable it via registry.
SSL 3.0:
SSL 3.0 is not secure. OS default is used. You might explicitly disable it via registry.
TLS 1.0:
TLS 1.0 is not secure. OS default is used. You might explicitly disable it via registry.
TLS 1.1:
TLS 1.1 is not secure. OS default is used. You might explicitly disable it via registry.
TLS 1.2:
SChannel EventLogging: 1 (hex)
To tune TLS related settings, please follow https://support.microsoft.com/en-us/kb/187498 or try out IIS Crypto from https://www.nartac.com/Products/IISCrypto/.
Microsoft documentation on cipher suites can be found at https://learn.microsoft.com/en-us/windows/desktop/secauthn/cipher-suites-in-schannel.
-----
[W3SVC/1]
ServerComment : WebSite1
ServerAutoStart: True
ServerState : Stopped
BINDING: http *:8080:localhost
For what it's worth I've also checked for the subkeys through Regedit, but couldn't find the subkeys inside HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\
I am completely at a loss what it could be
Edit: Tried it on another PC, on which it seems to work properly
According to the binding configuration from the report, there is no https binding in your project.
BINDING: http *:8080:localhost
Please ensure you checked the option of configuring HTTPS binding while creating the AspDotNET CoreAPI project.
This will add additional code snippets to Startup.cs file.
//Adding middlewares for redirecting HTTP request to HTTPS
app.UseHttpsRedirection();
And additional HTTPS binding configuration in launchSettings.json file.
Besides, most of the browsers start to support TLS1.2 only, please ensure that TLS1.2 is not disabled.
Feel free to let me know if the problem still exists.
I've got a windows forms app which is deployed through click once. The app was build with .net 4.7.2 and it uses the HttpClient API to access a couple of rest web services, which are hosted on an internal server. As you might expect, the services can only be accessed through HTTPS and the server is configured to suppport all TLS versions (btw, this is a 2016 windows server).
The intranet client app (ie, the windows forms app) is deployed across several internal sub-networks and everything is working well with the exception of a single PC (which belongs to a specific subnetwork - it's the only PC that is using this particular app). This PC will only be able to consume the services when the HttpClient is configured to use TLS 1.1.
Since we're using internal certificates (we have an internal certificate authority for our AD), I've already checked and the certificate with the public key of the entity is already present on the trusted certificate authorities container of the computer where the secure session can't be established through TLS 1.2.
The PC is running Windows 10 Pro (latest version), so it should support TLS 1.2. I've tried emulating the requests from Fiddler and the truth is that I'll only get the results when I configure it to use TLS 1.1.
Without setting the protocol to TLS 1.1, I can see that Fiddler says that the handshake hasn't been established and the service is never "executed".
Now, according to what I've read, I shouldn't have been getting any problems with the code. In fact, I shouldn't have to specify the TLS version (it looks like Windows 10 Pro has out of the box support for TLS 1.2 and that should be the default for WIndows 10. Since I'm using .NET 4.7.2, it should automatically use the system's default protocol), but the truth is that only using tls 1.1 (not tls 1.2!) allows for the secure channel to be established.
I've tried running the code in other machines and everything works out as expected (I can establish the secure channel with tls 1.1 or tls 1.2 or even let it use the system's default protocol).
Since I'm not really a network guy, can anyone point me in the right direction? Do you guys think this can be caused by a firewall? Any ideas?
I mean, it looks like the PC recognizes the certificate used in HTTPS session (if that wasn't the case, then I wouldn't be able to use TLS 1.1, right?), but it seems like there's something in the way that won't let me use TLS 1.2...
Thanks.
Luis
Check our official guidance for TLS: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
If it is one machine problem, I would recommend to create a simple HelloWorld app doing simple request, targeting the same .NET Framework (4.7.2) and then test that on the specific machine vs. other machines. That will tell you for sure if the problem is in your app or in machine/network settings.
I have a C++ Windows application, developed using Visual studio 2017 on windows 10 system. This application uses cpprestsdk to post request to REST Server. My application works perfectly fine on windows 10 machine with properly posting request over ssl to rest server. I did not create any local certificate to make my application work on windows 10.
However same application when ported on windows 7 (64 bit), is not able to POST request with SSL protocol to rest server.
Same request works without SSL, (http://HOST/API works)
but (https://host/api fails)
by giving following error.
winhttpsendrequest 12029 a connection with the server could not be established.
From same windows 7, PostMan can successfully post https request.
No clue of what could be wrong with the implementation.
Can any one share what could be the reason of failing the POST request on windows 7?
I'm a bit late with the answer but I hope that it might help others who face the same problem ...
I think that your server insists on using tls version higher than 1.0 which is a default on Windows 7. Unfortunately cpprestsdk cannot be configured to use a specific tls version. On Windows cpprestsdk uses WinHTTP which exposes two handles but only one of them can be used to configure tls (I do not remember handle names at the moment). Unfortunately the native handle that cpprestsdk has access to cannot be used to configure tls.
The only workaround is to configure Windows 7 (and indirectly WinHTTP) to use a specific tls version as default. Instructions on how to do that can be found here: https://support.microsoft.com/en-ca/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi.
CRM 2011 RU18 on prem. On the data SQL server, my DBAs want to enable
TLS1.2 or TLS 1.1 security protocol (TLS1.2 is preferable)…If TLS1.2 is enabled, TLS1.1/TLS1.0/ SSL3.0/ SSL2.0 will be disabled. If TLS1.1 is enabled, TLS1.0/ SSL3.0/ SSL2.0 will be disabled
Encrypted connections (to encrypt network traffic from app/ web servers to database server)
This is not my area of expertise. Can anyone advise if this is even possible with this app and if so point me in the right direction?
Microsoft started enforcing TLS 1.2 recently with Dynamics 365 v9. They also broadcasted a big warning that every connection tools must be upgraded. Meaning old binaries don't support it. I would stay with TLS 1.0.
The Microsoft tools and platforms though v8 have been based on .net
4.5.2, which defaults to TLS 1.0 for security. What this means is that CRM and Dynamics Tools shipped up through v8 will not seamlessly
connect to v9. When this shows up it always manifests as an auth
failure.
Here's some relevant documentation about the matter:
How to fix TLS 1.2 error with Dynamics 365:
https://www.crminnovation.com/blog/tls-transport-layer-security-wake-call/
Transport Layer Security (TLS) 1.2 Connectivity Requirements for Dynamics 365 (Online), V9:
https://community.dynamics.com/365/financeandoperations/b/arbelatechnologiesblog/archive/2018/02/25/transport-layer-security-tls-1-2-connectivity-requirements-for-dynamics-365-online-v9
This from Microsoft after opening a ticket
From the following we understand that the latest version of the .NET framework which CRM 2011 is compatible with is .NET 4.5.2. We also assume that your server infrastructure is running on Server 2012 or lower as CRM 2011 is not compatible with Server 2012 R2 or higher.
https://support.microsoft.com/en-za/help/3005163/compatibility-with-microsoft-dynamics-crm-2011
This brings us to conclude a couple things. Based on the following article. It certainly is possible to enable TLS 1.1 and 1.2 (this answers your 'How?' question).
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
Another consideration is the browser and OS compatibility of your clients for enabling these protocols. Below is a good reference for this:
https://www.applicationstation.com/home/CompatibilityGuidelines.pdf
We do know that this has never been fully tested for CRM 2011 as the protocol release was after our product release. With this in mind, the configuration is technically not supported, but it is entirely possible that they can be enabled without problem. We would, at a minimum, recommend full testing of any scenario enabling these protocol against a CRM 2011 environment before deploying it to production.
I am trying to do a testcase dealing with webservice REST in hosted Ape 5.0 Environment (apex.oracle.com).
There is a preinstalled Web Service in the Workspace "oracle.example.hr".
I have managed to call that Service from my Browsers URL.
But when i create a Web Service Reference to use that Service for an APEX Page, I receive the Errors:
ORA-29273: HTTP request failed
ORA-29024: Certificate validation failure
I am using the Oracle hosted Environment apex.oracle.com; thus I cannot apply ACLs etc.
Any suggestions?
Kind Regards,
Andreas Resch
Are you using https?
It seems that you are using a client that checks if the certificates are valid.
You can either solve the problem on the server (that is not configured with the correct certificate or configure the client to ignore this problem).