Running on Windows Server 2012R2
I am trying to disable TLS 1.0 on IIS because client has a site scanner which highlights that as a security problem.
I have a clean test server set up and App is running fine until I disable TLS 1.0.
I updated all the appropriate settings:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000 "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000 "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 In the event viewer, I get:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
If I revert the registry settings just for TLS 1.0 (Enabled, not DisabledByDefault), everything is fine again.
Using in system.web:
<httpRuntime targetFramework="4.7.2" /> What am I missing?
3 Answers
Answers 1
The application itself must be updated to support TLS 1.2 handshakes, so it's not something you can necessarily change if you only have access to configuration. If the underlying code does not support it, it will not work.
If the code targets .NET 4.6, I believe, TLS 1.2 will work natively. In 4.5, a line of code must be put in place such that it is executed before any networking occurs. The code:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 Answers 2
Have you tried to enable schannel logging to get more info?
https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis
Hope that will reveal the missing piece.
Answers 3
Your site could be communicating with something over SSL that doesn't support TLS 1.1+
0 comments:
Post a Comment