Client Management Suite

View Only

Patch Management Downloads - Enabled TLS 1.2 but downloads fail

Steve Drimones posted Mar 31, 2023 04:25 PM

I updated the registry for TLS 1.2 to be the only protocol enabled. Everything works fine except for Patch Management downloading of new software updates. I have to remove the TLS entries in the registry, restart the NS, enable the TLS entries again and restart the NS for the downloads to complete. I opened a case with support but they could not figure it out. Any one else having a similar issue or have a fix for this?

Broadcom Employee Dmitri Gornev posted Mar 31, 2023 06:40 PM

Hi Steve,

what Patch Management solution version do you have?

Thanks,
Dmitri.

Pablo Llorente posted Apr 03, 2023 02:41 AM

Hello,

We have similar issue but only downloading Tableau patches. We opened an INC and support team adviced us to enable the TLS 1.2. It was actually enabled at IIS level but a registry key is missing.
We are still thinking about if we should apply the resolution and enable TLS 1.2 because this is totally unsecure... we have some doubts about it and maybe, as we aonly are facing the issue for Tableau fixes, we will downlaoud it manually and we will create software packages.

To be honest, we dont think that enable TLS 1.2 is a good idea. It means that we need to take a not secure action to be secure installing security patches? does not make sense....

Steve Drimones posted Apr 03, 2023 08:12 AM

Hi Dimitri,
W are running 8.6 RU3.

Pablo,
How is TLS 1.2 unsecure?

Steve Drimones posted Apr 28, 2023 08:33 AM

Hello,
Anyone have any ideas?

Tal Fisher posted Apr 28, 2023 02:24 PM

Here is what I know: TLS 1.2 is installed/enabled on all Windows 10 computers and Server 2012 R2 and newer.

TLS 1.2 is available when any website needs a high or higher-security connection.

IE, Chrome, Firefox and Microsoft Edge support TLS 1.2, and the negotiation occur between the web apps server and the web browser client.
You should not have to remove anything if it is a Microsoft OS.

Tal Fisher posted Apr 28, 2023 02:30 PM

For Windows 8 and Server 2012 and older, you will need to edit the registry.
Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows - Microsoft Support

Steve Drimones posted Apr 28, 2023 02:41 PM

@Tal Fisher, That is what I thought as well. TLS is set correctly. This only affects the downloading of a few apps, not all, via Patch Management which is odd.

Tal Fisher posted Apr 28, 2023 05:23 PM

That is odd. Do all of your package servers and task servers have newest Windows OS? I had to go through this process about four years ago. We also had to enable HTTP and HTTPS on the IIS side. I will check to see if I still have my notes.

Tal Fisher posted Apr 28, 2023 05:38 PM

Never mind, that was in 2016. I don't keep my notes that long. So you may have to reach out to support. I have used them several times, and they are fast and knowledgeable.

Broadcom Employee Dmitri Gornev posted May 02, 2023 06:28 AM

Hi Steve,

sorry, few more questions (we were not able to reproduce it so far on our side):
- what specific registry keys did you use to configure TLS?
- is the problem reproducible for all or only specific software vendors?
- what specific errors do you see in Altiris Log when it's reproducible?
- what OS do you have on management server? Do you have the latest updates installed there?

Thank you,
Dmitri.

Steve Drimones posted May 03, 2023 08:25 AM

Hi Dmitri,
- what specific registry keys did you use to configure TLS? [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

- is the problem reproducible for all or only specific software vendors?
Only for Zoom, VNC, Webex, and SnagIt. The rest of the vendors work

- what specific errors do you see in Altiris Log when it's reproducible?
I do not have the specific error as the logs cleared but it said TLS connection could not be completed. I was able to go directly to the URL that was listed as the download location for each app and open it in a browser on the management server and it downloads the file.
- what OS do you have on management server? Do you have the latest updates installed there?
Server 2012 R2 and all latest Server updates are installed

Broadcom Employee Dmitri Gornev posted May 04, 2023 11:24 AM

Hi Steve,

we fully replicated your environment but still cannot reproduce the problem.
May you check what ciphers do you have available on your system (for example, using tool like IIS Crypto)?
Are you able to download updates in question using IE (other browsers have their own implementation of TLS so they are not very indicative here)?
What version(s) of .Net Framework do you have installed? You may also try enforcing stronger encryption with registry modification like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Logs would be very beneficial to troubleshoot further.

Thank you,
Dmitri.

Steve Drimones posted May 09, 2023 12:30 PM

Hi Dmitri,
Looking at the logs, I see 2 errors:
1. GetRemoteFileInfoHttp() for https://cdn.zoom.us/prod/5.14.6.15434/x64/ZoomInstallerFull.msi - The underlying connection was closed: An unexpected error occurred on a receive.
2. Download failed for: https://cdn.zoom.us/prod/5.14.6.15434/x64/ZoomInstallerFull.msi

The request was aborted: Could not create SSL/TLS secure channel.
[System.Net.WebException @ System]
at Altiris.PatchManagementCore.Utilities.File.HandleDownloadRetry(Uri uri, DownloadContext downloadContext, Exception retryableDownloadException, TimeSpan pauseTimeSpan)
at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)

Exception logged from:
at Altiris.PatchManagementCore.Utilities.File.Download(String, String, String, Boolean, Altiris.PatchManagementCore.Utilities.DownloadParameters)
at Altiris.PatchManagementCore.Utilities.FileDownloader.Download()
at Altiris.PatchManagementCore.Utilities.FileDownloader.DoDownloadProcedure(Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object)
at System.Threading.ThreadHelper.ThreadStart(Object)

As for the ciphers

If I try to download in IE, I receive This Page can't be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try

connecting to https://cdn.zoom.us again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

We have .NET 4.8

Steve Drimones posted May 09, 2023 12:44 PM

Sorry, here are the Ciphers:

I also added the .net regkey changes you provided, restarted the server, but same issue.

Broadcom Employee Igor Perevozchikov posted May 10, 2023 03:56 AM

Hi Steve Drimones!

Thank you for provided list of disabled/enabled "Cipher Suites"!
Now I was able to reproduce your problem on Windows 2012 R2 Server for ITMS 8.6 RU3, using same enabled "Cipher Suites"
Observed that this problem is reproducible in case if following "Cipher Suites" are disabled.

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

Please add/enable both ciphers on your SMP Server, reboot it and try to download zoom package updates.

Best regards,
IP.

Steve Drimones posted May 10, 2023 09:55 AM

Igor,
Adding those Ciphers fixes the issue within IE so that I can download it there and I do not receive an error when downloading via the console, but it does not seem to actually download the file. Also, when I add those Ciphers, we can not connect to the Console remotely, only directly on the server. Those Ciphers are only an issue with 2012 R2, correct? If we upgrade the Server to 2022 we should not need to add those.

Broadcom Employee Igor Perevozchikov posted May 10, 2023 10:16 AM

1. On my side with these cipher suites, zoom patch packages are downloaded and available

2. I'm able to login to SMP Console using Google Chrome, MS Edge or I.E11 browsers from other remote Windows Servers (My default browser is Chrome on ITMS 8.6 RU3 - Windows 2012R2 Server)

3. For in-place OS upgrade from Windows 2012 R2 Server OS to Windows 2022 Server OS, I can't say what Cipher Suites there will be.
But after upgrade of Windows 2012 R2 Server OS to Windows 2016 Server OS, same cipher suites remained enabled (verified for my environment)

Best regards,
IP.

Steve Drimones posted Jun 02, 2023 08:40 AM

We finally upgraded the NS to Server 2022 and that fixed the issue. We must have been missing specific Ciphers for Server 2012 R2 to connect and download correctly. Thanks for all the insight and help everyone.