I have a Windows Server 2008 R2 that serves services on IIS7. I enabled TLS 1.2 as you see below
But unfortunately, on of my client is said that they got SSL connection error using TLS 1.2. When I tried to check using OpenSSL, really there is a problem with TLS 1.2.
So, could you please help me, how can I fix this issue?
From Technet
For TLS 1.2 to be enabled and negotiated on servers that run Windows
Server 2008 R2, you MUST create the "DisabledByDefault" entry in the
appropriate subkey (Client, Server) and set it to "0". The entry will
not be seen in the registry and it is set to "1" by default.
Related
I have a problem of SQL connection between two servers. One of the servers where the site code is stored is a Windows Server 2008 and my database is on a Windows Server 2003.
Here is a part of my code :
Set Conn = Server.CreateObject("ADODB.Connection")
ConnStr = "Provider=SQLOLEDB; Data Source=10.0.0.17; Initial Catalog=******;UID=*******;Pwd=********%"
Conn.open ConnStr
Microsoft OLE DB Provider for SQL Server erreur '80004005'
[DBNETLIB][ConnectionOpen (SECDoClientHandshake()).] SSL security error.
So I saw on the internet people talking about enabling TLS 1.0 on my server and that's what I did on both.
Here is what I have in both my client and server registers
But even after that I still have the same mistake.
Could someone please help me
Someone turned off TLS 1.0 support on your database server - thinking that it would improve security.
The October 2021 update of Windows 10 finally updated the SQLOLEDB driver to support TLS 1.2.
Otherwise you'll have to switch the currently supported MSOLEDBSQL driver. It's the only officially supported SQL Server OLEDB since SQL Server 2012, and it supports TLS 1.2.
I've got a windows forms app which is deployed through click once. The app was build with .net 4.7.2 and it uses the HttpClient API to access a couple of rest web services, which are hosted on an internal server. As you might expect, the services can only be accessed through HTTPS and the server is configured to suppport all TLS versions (btw, this is a 2016 windows server).
The intranet client app (ie, the windows forms app) is deployed across several internal sub-networks and everything is working well with the exception of a single PC (which belongs to a specific subnetwork - it's the only PC that is using this particular app). This PC will only be able to consume the services when the HttpClient is configured to use TLS 1.1.
Since we're using internal certificates (we have an internal certificate authority for our AD), I've already checked and the certificate with the public key of the entity is already present on the trusted certificate authorities container of the computer where the secure session can't be established through TLS 1.2.
The PC is running Windows 10 Pro (latest version), so it should support TLS 1.2. I've tried emulating the requests from Fiddler and the truth is that I'll only get the results when I configure it to use TLS 1.1.
Without setting the protocol to TLS 1.1, I can see that Fiddler says that the handshake hasn't been established and the service is never "executed".
Now, according to what I've read, I shouldn't have been getting any problems with the code. In fact, I shouldn't have to specify the TLS version (it looks like Windows 10 Pro has out of the box support for TLS 1.2 and that should be the default for WIndows 10. Since I'm using .NET 4.7.2, it should automatically use the system's default protocol), but the truth is that only using tls 1.1 (not tls 1.2!) allows for the secure channel to be established.
I've tried running the code in other machines and everything works out as expected (I can establish the secure channel with tls 1.1 or tls 1.2 or even let it use the system's default protocol).
Since I'm not really a network guy, can anyone point me in the right direction? Do you guys think this can be caused by a firewall? Any ideas?
I mean, it looks like the PC recognizes the certificate used in HTTPS session (if that wasn't the case, then I wouldn't be able to use TLS 1.1, right?), but it seems like there's something in the way that won't let me use TLS 1.2...
Thanks.
Luis
Check our official guidance for TLS: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
If it is one machine problem, I would recommend to create a simple HelloWorld app doing simple request, targeting the same .NET Framework (4.7.2) and then test that on the specific machine vs. other machines. That will tell you for sure if the problem is in your app or in machine/network settings.
The scenario is as follow:
Connection from Windows Server 2003 to SQL Server 2005 works smoothly. Now a new Windows 2012 server which hosts the same .net web application unable to connect to the same SQL Server database, it fails with the following error:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider,error: 0 - An existing connection was forcibly closed by the remote host.)]
As it is working fine from Windows 2003, I guess the issue could be one of these:
Backward compatibility issue, as the new box is Windows 2012 instead of Windows 2003.
Network connectivity issue. However I can confirm the network path is fine as I can telnet port 1433 from the web server to the database server and also part of the error message is
A connection was successfully established with the server
Any help would be appreciated.
You need to install this hotfix for Windows Server 2003. It adds TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA cipher suites to Windows Server 2003.
Without these 2 cipher suites added to Windows Server 2003, anything from Windows Server 2008 R2 and above, will not be able to create an SSL connection to Windows Server 2003. This includes SQL Server connections, and any other connections that rely on SSL.
Why? Because Windows Server 2008 R2 and above, have no ciphers that match with what Windows Server 2003 has (the old ciphers have all been removed from new OS's for security reasons); therefore Windows Server 2003 drops the connection because there's no matching cipher available.
Microsoft Hotfix for Windows Server 2003: https://support.microsoft.com/en-us/help/948963
You need to check your SSL and TLS settings(the server only allows 1.2 and your client only supports 1.0.)
Check the following kb page for more inforamtion
TLS 1.2 support for Microsoft SQL Server
I had a very similar error message:
Microsoft ODBC Driver {Version number here} for SQL Server : SSL Provider: An existing
connection was forcibly closed by the remote host.
I found this guide and this post to be very helpful on this issue. One suggestion was to "upgrade your ODBC driver", tried that and it didn't work, most of the other discussion is around "Checking you SSL settings" in some shape or form.
What I did to resolve my issue was enable TLS 1.0, 1.1 and 1.2 on my SQL Server (in my case 2019) and then on my client systems enable ONLY TLS 1.0 and 1.1 (explicitly disabling TLS 1.2) using the toolset linked here. This seems to have resolved my issue.
I have set up a WSUS role on a windows server 2012 R2 and it works trouble-free over http. I would like now to secure the communication with SSL over https. I generated with openssl a .pfx certificate from our company’s wildcard certificate, installed it on the server and configured IIS to use it for encryption.
Problem:
When I try to connect the WSUS console to WSUS service, I get the follow error:
I followed this Microsoft documentation to install WSUS over SSL.
How can I resolve this issue?
I have a problem with a Windows 2003 server. The server is fully service packed and has all the latest windows updates.
Our server cannot connect to a certain SSL web site.
I have checked the SSL certificate of the remote third party website and it all validates successfully.
I have even checked on another Windows 2003 server and that connects and validates the certificate correctly.
The server that is failing to connect is reporting the following when trying to connect:
The remote server (url) presented a certificate that did not validate, due to RemoteCertificateChainErrors. The signature of the certificate can not be verified.
It gets a handshake but then fails to validate the certificate.
Does anyone have any ideas on what is causing this problem ?
I've cleared the CRL cache and rebooted the server accordingly but the problem still persists.
I've installed Firefox on the server and that does not have any problems connecting to the SSL url and validates the certificate correctly.
It's just the Windows OS and IE8 that have the issue and are unable to connect.
Thanks,
Chris
Is the certificate using a SHA1 or SHA2 hash algorithm? Because Windows 2003 Server does not support SHA2 unless you run the hotfix from Microsoft.