IT Management Suite

 View Only
  • 1.  Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Posted Jan 02, 2025 12:39 AM
    OS on NS: WS2012 R2
    Version: 8.6 RU3
     
    I came across this post and tried the method suggested.
    https://community.broadcom.com/symantecenterprise/question/patch-management-downloads-enabled-tls-12-but-downloads-fail
    I managed to download Zoom package successfully. However, I still could not download Microsoft packages.
    This is the sample of error.
     
    The request was aborted: Could not create SSL/TLS secure channel.
       [System.Net.WebException @ Altiris.PatchManagementCore]
       at Altiris.PatchManagementCore.Utilities.File.HandleDownloadRetry(Uri uri, DownloadContext downloadContext, Exception retryableDownloadException, TimeSpan pauseTimeSpan)
       at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
       at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)
     
    The request was aborted: Could not create SSL/TLS secure channel.
       [System.Net.WebException @ Altiris.PatchManagementCore]
       at Altiris.PatchManagementCore.Utilities.File.HandleDownloadRetry(Uri uri, DownloadContext downloadContext, Exception retryableDownloadException, TimeSpan pauseTimeSpan)
       at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
       at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)
    I tried every possible suggestion online such as install Microsoft KB and add regkey, so far none worked.
    Help please. Thank you.
     
    Regards,
    Ain


  • 2.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Broadcom Employee
    Posted Jan 02, 2025 08:04 PM

    Good morning Ain!

    1. Here is a discussion about similar problem and potential solution is to enable required CIPHER Suites on your Windows 2012 R2 Server 
    https://community.broadcom.com/symantecenterprise/question/patch-management-downloads-enabled-tls-12-but-downloads-fail#cd713b8b-407f-48e0-a118-018805fb9808  but seems like 100% solution is to upgrade Windows 2012 R2 Server to higher released Windows Server OS (this is how Customer resolved this problem)

    2. KB article - How to manually distribute affected packages that can't be downloaded
    https://knowledge.broadcom.com/external/article/207230/unable-to-download-wireshark-patches.html 

    Best regards,
    IP.




  • 3.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Posted Jan 03, 2025 09:38 AM
    I am seeing the same thing on our Windows 2012 R2 SMP.  I have found that Microsoft patches which are downloaded from "https://catalog.sf.dl.delivery.mp.microsoft.com/..." fail, whereas Microsoft patches that download from "https://catalog.s.download.windowsupdate.com/..." are successful.
     
    I have also found that if I paste the URL of a download that failed into Chrome, the browser will download the patch.  For example, this URL failed to download in Patch Management but I can manually download the patch if I paste the URL into Chrome:
     
    https://catalog.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/d2584a30-89ea-4236-af04-2585566deaa6/public/windows11.0-kb5048685-x64_f1967f623976c41d20deab623317c4855e9d111a.msu
     
    However, the patch will not download using Internet Explorer.  I'm guessing the issue has something to do with TLS 1.3, but I don't know that for sure.
    We are using Altiris 8.6 RU3 which is supported on Windows Server 2012 R2 so I'm hoping to see a fix from Broadcom.



  • 4.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Posted 25 days ago
    Edited by deemacgee 25 days ago

    Hi all,

    We configured the cipher suites on our 2012 R2 box to get past this exact problem late last year. We thought it successful at the time but now it appears we're having the same trouble again this month. Suggestions to "upgrade the OS" or "download everything manually" aren't helpful. When will a fix be released?



    ------------------------------
    Tech Monkey/IT Primate
    ------------------------------



  • 5.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Posted 24 days ago
    I ran a packet capture on our test SMP server running on Windows Server 2016.  This server is able to download patches into Patch Managment.  The packet capture showed that TLS 1.2 was used during the patch download and the cipher suite was TLS_AES_256_GCM_SHA384. 
     
    I ran IISCrypto on the Windows 2012 R2 server and found that TLS_AES_256_GCM_SHA384 is not an available cipher suite.  I am not sure if or how the TLS_AES_256_GCM_SHA384 cipher suite can be added to Windows Server 2012 R2.  So the download issue is not because the server hosting the patches requires TLS 1.3.
     
    It is interesting to note that the patch can be downloaded using Chrome on the Windows 2012 R2 server.



  • 6.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Broadcom Employee
    Posted 24 days ago

    Hello David,

    Good to bump into you again and I hope you're doing well.

    I was curious why Server 2012 R2 is having such issues as reported by yourself and also deemacgee.  And so I did a little more digging around the web.  I'm sure Altiris Services use .NET calls to download patches and it appears that .NET can only 'use' ciphers that the OS supports.  It seems that Server 2012 R2 does not support these newer ciphers that are required by some Websites for downloading patches.  

    Meanwhile, Chrome (and other browsers most likely) Does support these newer ciphers as it does not use OS calls for ciphers, but has it's own ciphers built into to the software.  So using Chrome to download the same files will always be successful. 

    These are the cipher suites supported by Chrome, regardless of the OS.
    https://support.google.com/chrome/thread/181869811/which-tls-cipher-suites-does-chrome-support?hl=en

    Comments in this thread below on page 2, pointed me to the .NET reliance on the OS installed ciphers:
    https://learn.microsoft.com/en-us/answers/questions/227738/windows-server-2012-r2-tls-1-2-cipher-suites?page=2#answers

    You can scroll through page 1 if you'd like.  Seems everyone in this thread is wanting the same thing - Windows 2012 R2 to support the newer cipher suites.

    Because of this limitation that Microsoft has left in Server 2012 R2, we won't be able to change Patch Management to allow these ciphers to be used.  I do apologize that this isn't the best news.  If it's not possible to upgrade the OS, there is option #2 that Igor mentioned above, which uses Wireshark patches as an example.  Create the folder structure in Patch Management and then download the .exe and put it in the proper folder and Patch Management should roll out that patch just fine.

    Again, my apologies for the not so good news, but hopefully this brings understanding to the underlying issue at hand and the limitation this places on Patch Management when using Server 2012 R2.

    All the best,

    Roy Brooksby




  • 7.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Posted 22 days ago
    Edited by deemacgee 21 days ago

    Hi Roy,

    Thanks for the detailed reply - unfortunately, this is not consistent with the behaviour we've observed. Up until late last year, we had absolutely no problems acquiring patches from our Server 2012 R2 SMP. When we did encounter issues last month, enabling and reordering ciphers (apparently) fixed the issue.

    If now the determination is that this could not possibly have worked given the limitations of the OS itself, I can only assume something else has changed upstream - perhaps with Microsoft itself - and that our changes were coincidental.

    I'll also point out that not all patches fail to download. MS Office updates appear to be OK whereas Windows 10/11 updates are not. Download failures listed in the SMP log are the same as those in the original post.

    We'll continue to monitor/work around for the moment.

    EDIT: Manually downloading patches works with both Chrome (as confirmed above) AND Internet Explorer 11 on our WS 2012 R2 server.

    EDIT 2: Could I ask that Broadcom update the following documentation to address MS patches specifically? The Wireshark example significantly deviates from MS patch downloads.

    https://knowledge.broadcom.com/external/article/207230/unable-to-download-wireshark-patches.html



    ------------------------------
    Tech Monkey/IT Primate
    ------------------------------



  • 8.  RE: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel

    Broadcom Employee
    Posted 18 days ago

    Hello Deemacgee,

    In order for a HTTPS communication to be successful, both sides need to negotiate a Cipher to use.  If one side supports different Ciphers than the other, and there is no common Cipher, then the HTTPS communication will fail.  The negotiation will fail.  This is what's happening between 2012 R2 and certain Websites.  As David found from Wireshark, there is no common protocol.  The Cipher needed for the Website (TLS_AES_256_GCM_SHA384) is not supported by the 2012 R2 Operating System.  As I stated above, we make .NET calls to the OS to make a download, and we leave the negotiation in the hands of the OS and the website to negotiate a common protocol.  Vendors, in this case Microsoft, are constantly changing the URL where patches are downloaded from.  With each URL / Website change is the opportunity for them to drop support for older Cipher suites from their Website.

    You mention that Chrome works, and I agree it will work as will many other browsers.   As I stated previously, the reason that Chrome works is that it uses it's own Ciphers and NOT the Operating System supported Ciphers.  Software has the option of using their own ciphers, or using the OS.  And many software packages will include their own Ciphers, however this does not change how .NET calls are used to pick a cipher for the Operating System.  So .NET can't use the Ciphers that are installed with Chrome.  In order for Patch Management to work in this situation we would have to change our program to include all of the relevant Ciphers used, like Chrome is doing.  This is not something we're prepared to do at this time as the issue at hand is only affecting 2012 R2 systems.  Rather than spend time 'fixing' an older OS, we would rather help you upgrade to a newer OS that supports the latest version of ITMS.  If you'd like that assistance, please log a case with Support.  We'd be happy to review Upgrade plans and guide you through the upgrade process.  

    Another possibility is to setup a newer ITMS server and have the newer server download / stage / the Patch Packages.  Then 2012 R2 can download Patches from the newer server.  This is similar to configuring Patch Management without Internet connection (KB 180645).  This would allow you to get all of the patches onto 2012 R2 with minimal changes.

    Lastly, the Wireshark KB is an example that can be used with any Software Update.  (I've updated this KB for clarification.)  The Wireshark KB walks us through downloading the file into the correct path on the Desktop (or other location on the SMP), and then Importing that file structure and file into our current SMP.  This is similar to the KB above with using Patch Management without Internet connection (KB 180645).  But in this case we're recreating the folder structure manually (on the desktop) instead of Staging the updates on another SMP and then importing from that staging SMP.  If you have questions about this KB, please open a support case and we'd be happy to help you out.

    Sincerely,
    Roy