MS Server 2012 TLS Connection Issue

windows ssl windows-server-2012

We use a well known payment system and access from our RDS server (MS Server 2012) has totally stopped today.

I can't help but think it is related to cihpers and/or TLS/SSL version.

The application throws (which looks like a generic Win error) of..

HttpSendRequestFailed with error 12029.

Then If I drive into the event logs I can find multiple logs showing this..

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

However, strangely I can connect to this payment provider perfectly on my Server 2008 R2 machine, Win 7 Client machines and Win 10 machines.

I have found a few hotfixes here

https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

But i haven't had much joy, any help is much appreciated.


Turns out it was 'use TLS 1.1' and 'Use TLS 1.2' that I needed. I wasn't using a browser, but I assume that the application uses these settings for the web request and that as mentioned in the other answers TLS 1.0 is switched off as part of PCI-DSS 3.1

See Internet Explorer > Internet Options > Advanced > Settings

Internet Explorer Options


Error code 70 is a protocol_version error. Put simply, the protocol version the client attempted to use is recognized but not supported.

https://www.rfc-editor.org/rfc/rfc5246#appendix-A.3

This may not be the best answer but I would try using the IISCrypto on the 7, 10, and 2008 to see which protocols, ciphers, hashes, and key exchanges are in use and compare them to what is in use on the 2012.

Make note that there are settings to enable protocols/ciphers for client and server sides. So you can enable the protocols/ciphers for the 2012 on the server side but overlook setting the protocols/ciphers on the 2012 as a client. This is where ISSCrypto comes in handy as it gives you a graphical view into your protocol/cipher settings for both server and client sides.

Since you mentioned a payment system, I suspect that PCI-DSS compliance is involved and in the PCI-DSS 3.1 requirement you can no longer make use of the TLS 1.0 protocol. It may be possible that the TLS 1.1 and TLS 1.2 on your 2012 were enabled on the server side but not on the client side (and your 2012 is acting as a client in this regard). The error code 70 would fit this scenario.

Related

Should I use CloudFront in front of API/Web just because I want them on a single domain?
Building/Maintaining a Custom FreeNAS- and ZFS-based NAS
Start keepalived without IP on interface?
KVM/libvirt: how to migrate between 2 hosts with different CPUs
RDP from linux to windows
Get PowerShell command output as a variable in bat (cmd) script
DNS CNAME Resolution - which IP would be returned?
AWS SQS behavior with multiple Lambda Triggers set
OpenLDAP cn=config: No such object (32)?
What does INVALIDARGUMENT mean?
Can I use nested DNS wildcard records
how to monitor windows vpn connectivity?