MS Server 2012 TLS Connection Issue

We use a well known payment system and access from our RDS server (MS Server 2012) has totally stopped today.

I can't help but think it is related to cihpers and/or TLS/SSL version.

The application throws (which looks like a generic Win error) of..

HttpSendRequestFailed with error 12029.

Then If I drive into the event logs I can find multiple logs showing this..

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

However, strangely I can connect to this payment provider perfectly on my Server 2008 R2 machine, Win 7 Client machines and Win 10 machines.

I have found a few hotfixes here

https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

But i haven't had much joy, any help is much appreciated.


Turns out it was 'use TLS 1.1' and 'Use TLS 1.2' that I needed. I wasn't using a browser, but I assume that the application uses these settings for the web request and that as mentioned in the other answers TLS 1.0 is switched off as part of PCI-DSS 3.1

See Internet Explorer > Internet Options > Advanced > Settings

Internet Explorer Options


Error code 70 is a protocol_version error. Put simply, the protocol version the client attempted to use is recognized but not supported.

https://www.rfc-editor.org/rfc/rfc5246#appendix-A.3

This may not be the best answer but I would try using the IISCrypto on the 7, 10, and 2008 to see which protocols, ciphers, hashes, and key exchanges are in use and compare them to what is in use on the 2012.

Make note that there are settings to enable protocols/ciphers for client and server sides. So you can enable the protocols/ciphers for the 2012 on the server side but overlook setting the protocols/ciphers on the 2012 as a client. This is where ISSCrypto comes in handy as it gives you a graphical view into your protocol/cipher settings for both server and client sides.

Since you mentioned a payment system, I suspect that PCI-DSS compliance is involved and in the PCI-DSS 3.1 requirement you can no longer make use of the TLS 1.0 protocol. It may be possible that the TLS 1.1 and TLS 1.2 on your 2012 were enabled on the server side but not on the client side (and your 2012 is acting as a client in this regard). The error code 70 would fit this scenario.