In order for a HTTPS communication to be successful, both sides need to negotiate a Cipher to use. If one side supports different Ciphers than the other, and there is no common Cipher, then the HTTPS communication will fail. The negotiation will fail. This is what's happening between 2012 R2 and certain Websites. As David found from Wireshark, there is no common protocol. The Cipher needed for the Website (TLS_AES_256_GCM_SHA384) is not supported by the 2012 R2 Operating System. As I stated above, we make .NET calls to the OS to make a download, and we leave the negotiation in the hands of the OS and the website to negotiate a common protocol. Vendors, in this case Microsoft, are constantly changing the URL where patches are downloaded from. With each URL / Website change is the opportunity for them to drop support for older Cipher suites from their Website.
Original Message:
Sent: Jan 19, 2025 03:17 PM
From: deemacgee
Subject: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel
Hi Roy,
Thanks for the detailed reply - unfortunately, this is not consistent with the behaviour we've observed. Up until late last year, we had absolutely no problems acquiring patches from our Server 2012 R2 SMP. When we did encounter issues last month, enabling and reordering ciphers (apparently) fixed the issue.
If now the determination is that this could not possibly have worked given the limitations of the OS itself, I can only assume something else has changed upstream - perhaps with Microsoft itself - and that our changes were coincidental.
I'll also point out that not all patches fail to download. MS Office updates appear to be OK whereas Windows 10/11 updates are not. Download failures listed in the SMP log are the same as those in the original post.
We'll continue to monitor/work around for the moment.
EDIT: Manually downloading patches works with both Chrome (as confirmed above) AND Internet Explorer 11 on our WS 2012 R2 server.
EDIT 2: Could I ask that Broadcom update the following documentation to address MS patches specifically? The Wireshark example significantly deviates from MS patch downloads.
https://knowledge.broadcom.com/external/article/207230/unable-to-download-wireshark-patches.html
------------------------------
Tech Monkey/IT Primate
Original Message:
Sent: Jan 17, 2025 03:43 PM
From: Roy B
Subject: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel
Hello David,
Good to bump into you again and I hope you're doing well.
I was curious why Server 2012 R2 is having such issues as reported by yourself and also deemacgee. And so I did a little more digging around the web. I'm sure Altiris Services use .NET calls to download patches and it appears that .NET can only 'use' ciphers that the OS supports. It seems that Server 2012 R2 does not support these newer ciphers that are required by some Websites for downloading patches.
Meanwhile, Chrome (and other browsers most likely) Does support these newer ciphers as it does not use OS calls for ciphers, but has it's own ciphers built into to the software. So using Chrome to download the same files will always be successful.
These are the cipher suites supported by Chrome, regardless of the OS.
https://support.google.com/chrome/thread/181869811/which-tls-cipher-suites-does-chrome-support?hl=en
Comments in this thread below on page 2, pointed me to the .NET reliance on the OS installed ciphers:
https://learn.microsoft.com/en-us/answers/questions/227738/windows-server-2012-r2-tls-1-2-cipher-suites?page=2#answers
You can scroll through page 1 if you'd like. Seems everyone in this thread is wanting the same thing - Windows 2012 R2 to support the newer cipher suites.
Because of this limitation that Microsoft has left in Server 2012 R2, we won't be able to change Patch Management to allow these ciphers to be used. I do apologize that this isn't the best news. If it's not possible to upgrade the OS, there is option #2 that Igor mentioned above, which uses Wireshark patches as an example. Create the folder structure in Patch Management and then download the .exe and put it in the proper folder and Patch Management should roll out that patch just fine.
Again, my apologies for the not so good news, but hopefully this brings understanding to the underlying issue at hand and the limitation this places on Patch Management when using Server 2012 R2.
All the best,
Roy Brooksby
Original Message:
Sent: Jan 17, 2025 09:43 AM
From: David Fanning
Subject: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel
I ran a packet capture on our test SMP server running on Windows Server 2016. This server is able to download patches into Patch Managment. The packet capture showed that TLS 1.2 was used during the patch download and the cipher suite was TLS_AES_256_GCM_SHA384.
I ran IISCrypto on the Windows 2012 R2 server and found that TLS_AES_256_GCM_SHA384 is not an available cipher suite. I am not sure if or how the TLS_AES_256_GCM_SHA384 cipher suite can be added to Windows Server 2012 R2. So the download issue is not because the server hosting the patches requires TLS 1.3.
It is interesting to note that the patch can be downloaded using Chrome on the Windows 2012 R2 server.
Original Message:
Sent: Jan 02, 2025 12:39 AM
From: Ain Abdullah
Subject: Microsoft update download failed - The request was aborted: Could not create SSL/TLS secure channel
OS on NS: WS2012 R2
Version: 8.6 RU3
I came across this post and tried the method suggested.
https://community.broadcom.com/symantecenterprise/question/patch-management-downloads-enabled-tls-12-but-downloads-fail
I managed to download Zoom package successfully. However, I still could not download Microsoft packages.
This is the sample of error.
The request was aborted: Could not create SSL/TLS secure channel.
[System.Net.WebException @ Altiris.PatchManagementCore]
at Altiris.PatchManagementCore.Utilities.File.HandleDownloadRetry(Uri uri, DownloadContext downloadContext, Exception retryableDownloadException, TimeSpan pauseTimeSpan)
at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)
The request was aborted: Could not create SSL/TLS secure channel.
[System.Net.WebException @ Altiris.PatchManagementCore]
at Altiris.PatchManagementCore.Utilities.File.HandleDownloadRetry(Uri uri, DownloadContext downloadContext, Exception retryableDownloadException, TimeSpan pauseTimeSpan)
at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)
Help please. Thank you.
Regards,
Ain