Check if Windows Server 2008R2 can use TLS 1.2

as SalesForce drops TLS 1.0 next week, we are forced to use TLS 1.1 or 1.2 in our API calls, which we use to extract data for our DWH from Windows Server 2008R2 using SSIS custom CozyRoc components. We installed the patches and made sure that the registry has required entries as it is stated in this article. We added no keys to SCHANNEL though, now the only protocol listed there is SSL 2.0.

Next, after rebooting of course, I recorded a trace with Wireshark to find out that our CozyRoc components in SSIS packages use TLS 1.0, as in Server Hello message we are getting TLS 1.0 in the handshake protocol section. The CozyRoc components which construct the call support TLS 1.2.

My question is: how can I test if our server can use TLS 1.2 to communicate with SalesForce? I know that disabling TLS 1.0 can possibly mess up other connections, so I do not want to do that. Ideally, I would like to know that my SSIS packages use TLS 1.2.

UPDATE: I tried to connect to our test Salesforce site, at which TLS 1.0 is disabled. Now when trying to connect I receive an error saying

"UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https. (System.Web.Services)"|

I still do not know if the one to blame is my server setup or the CozyRoc component, so I am now looking for any way to ensure that TLS 1.2 works on the server, independently of the SSIS setup. Any ideas?


Solution 1:

Please keep noted that TLS 1.2 is disabled per default in Windows 2008 (see here). So you need to enable it per registry change (see below), you also need to understand that there is a client config and a server config. So if you for example enable TLS 1.2 on a client level but not on a server level an nMAP against port 443 will not show that TLS 1.2 is enabled as its only enabled for a client.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

What you need here hardly depends on your application and how it interacts with a remote service. So for example if the 3rd party application will use a https session towards your environment then this would be a server side configuration. However if you have a 3rd party plugin running as a service which perform connections against the 3rd party server then this is a client configuration.

Additionally there is a hotfix which allows applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections to use TLS 1.1 or TLS 1.2 protocols which you should install (it not already done as this is a older fix; see here).

Additionally if the 3rd party component didn´t make use from the Microsoft SCHANNEL implementation any changes on the registry side will not work. Because it could be that the 3rd party component are using another SSL implementation like OpenSSL. In that case you need to get in contact with the vendor to check how you can enable TLS 1.2 here. This for example is also true when using Java components (e.g. TomCat). Then adjusting the Microsoft SCHANNEL implementation will not affect them.

SalesForce itself has a very good documentation from the above in much more details then I could give here. So you should check that out as well (see here). Additional they offer multiple "how to test" way to test the TLS configuration which you can then perform.

Solution 2:

The answer to my question is awfully simple, it is enough to visit https://www.howsmyssl.com/. Also, Wireshark trace indicates that my server uses TLS 1.2 to exchange handshakes with the Salesforce site while testing the connection.

Bottleneck in my case is the Cozyroc SSIS+ version - currently it is 1.6.103 and you need at least 1.6.104 to use TLS 1.1 or higher, so make sure to check that.