WebDeploy 3.6 won't connect with TLS 1.0 disabled

tls iis-8.5

Recently I had my servers audited for PCI compliance.

As part of this I was picked up for not having TLS 1.0 disabled as per:

http://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf

When I disable TLS 1.0 using IISCrypto Web Deploy breaks.

Has anyone found a WebDeploy 3.6 fix for using WebDeploy without TLS 1.0?


Solution 1:

We added registry keys to force the .NET app pool over to TLS 1.2. This was to allow an app to talk to Salesforce after SF issued a critical update disabling TLS 1.0. The registry keys apply to the whole server as opposed to a single site, unfortunately. The build broke for the reason you indicate above. This worked for us:

Getting WebDeploy working after disabling insecure Ciphers like SSL 3.0 and TLS 1.0

Excerpt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

Related

How to add a shutdown script (not by using gpedit.msc or active directory)?
Can't create or follow symlinks from linux client with a cifs mounted Windows Server 2008 R2 share
Puppet class inheritance confusion
Any reason to use Windows Server 2003 over Server 2008?
Tools for introspecting Varnish
How valuable do you find professional memberships? [closed]
How do you test a new email filtering system?
Mapping hudson to a subdomain through nginx proxying
VSFTPD and Implicit SSL
Time synchronization in an heterogeneous environment
Is a reboot required after edit/saving linux iptables?
Can I buy just one SSL cert for a subdomain?