Client Management Suite

 View Only

 Patch Management Downloads - Enabled TLS 1.2 but downloads fail

Steve Drimones's profile image
Steve Drimones posted Mar 31, 2023 04:25 PM

I updated the registry for TLS 1.2 to be the only protocol enabled.  Everything works fine except for Patch Management downloading of new software updates.  I have to remove the TLS entries in the registry, restart the NS, enable the TLS entries again and restart the NS for the downloads to complete. I opened a case with support but they could not figure it out.  Any one else having a similar issue or have a fix for this?

Dmitri Gornev's profile image
Broadcom Employee Dmitri Gornev

Hi Steve,

what Patch Management solution version do you have?

Thanks,
Dmitri.

Pablo Llorente's profile image
Pablo Llorente

Hello,

We have similar issue but only downloading Tableau patches. We opened an INC and support team adviced us to enable the TLS 1.2. It was actually  enabled at IIS level but a registry key is missing.
We are still thinking about if we should apply the resolution and enable TLS 1.2 because this is totally unsecure... we have some doubts about it and maybe, as we aonly are facing the issue for Tableau fixes, we will downlaoud it manually and we will create software packages.

To be honest, we dont think that enable TLS 1.2 is a good idea. It means that we need to take a not secure action to be secure installing security patches? does not make sense....

Steve Drimones's profile image
Steve Drimones

Hi Dimitri,
  W are running 8.6 RU3.

Pablo,
  How is TLS 1.2 unsecure?

Steve Drimones's profile image
Steve Drimones

Hello,
  Anyone have any ideas?

Tal Fisher's profile image
Tal Fisher

Here is what I know: TLS 1.2 is installed/enabled on all Windows 10 computers and Server 2012 R2 and newer.

TLS 1.2 is available when any website needs a high or higher-security connection.

IE, Chrome, Firefox and Microsoft Edge support TLS 1.2, and the negotiation occur between the web apps server and the web browser client.
You should not have to remove anything if it is a Microsoft OS.

Tal Fisher's profile image
Tal Fisher

For Windows 8 and Server 2012 and older, you will need to edit the registry.
Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows - Microsoft Support

Steve Drimones's profile image
Steve Drimones

@Tal Fisher, That is what I thought as well.  TLS is set correctly.  This only affects the downloading of a few apps, not all, via Patch Management which is odd.

Tal Fisher's profile image
Tal Fisher

That is odd. Do all of your package servers and task servers have newest Windows OS? I had to go through this process about four years ago. We also had to enable HTTP and HTTPS on the IIS side. I will check to see if I still have my notes.

Tal Fisher's profile image
Tal Fisher

Never mind, that was in 2016. I don't keep my notes that long. So you may have to reach out to support. I have used them several times, and they are fast and knowledgeable.

Dmitri Gornev's profile image
Broadcom Employee Dmitri Gornev

Hi Steve,

sorry, few more questions (we were not able to reproduce it so far on our side):
- what specific registry keys did you use to configure TLS?
- is the problem reproducible for all or only specific software vendors?
- what specific errors do you see in Altiris Log when it's reproducible?
- what OS do you have on management server? Do you have the latest updates installed there?

Thank you,
Dmitri.

Steve Drimones's profile image
Steve Drimones

Hi Dmitri,
- what specific registry keys did you use to configure TLS? [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000


- is the problem reproducible for all or only specific software vendors? 
 Only for Zoom, VNC, Webex, and SnagIt.  The rest of the vendors work


- what specific errors do you see in Altiris Log when it's reproducible?
I do not have the specific error as the logs cleared but it said TLS connection could not be completed.  I was able to go directly to the URL that was listed as the download location for each app and open it in a browser on the management server and it downloads the file.

- what OS do you have on management server? Do you have the latest updates installed there?
Server 2012 R2 and all latest Server updates are installed

Dmitri Gornev's profile image
Broadcom Employee Dmitri Gornev

Hi Steve,

we fully replicated your environment but still cannot reproduce the problem.
May you check what ciphers do you have available on your system (for example, using tool like IIS Crypto)?
Are you able to download updates in question using IE (other browsers have their own implementation of TLS so they are not very indicative here)?
What version(s) of .Net Framework do you have installed? You may also try enforcing stronger encryption with registry modification like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Logs would be very beneficial to troubleshoot further.

Thank you,
Dmitri.

Steve Drimones's profile image
Steve Drimones

Hi Dmitri,
  Looking at the logs, I see 2 errors:
1. GetRemoteFileInfoHttp() for https://cdn.zoom.us/prod/5.14.6.15434/x64/ZoomInstallerFull.msi - The underlying connection was closed: An unexpected error occurred on a receive.
2. Download failed for: https://cdn.zoom.us/prod/5.14.6.15434/x64/ZoomInstallerFull.msi

The request was aborted: Could not create SSL/TLS secure channel.
   [System.Net.WebException @ System]
   at Altiris.PatchManagementCore.Utilities.File.HandleDownloadRetry(Uri uri, DownloadContext downloadContext, Exception retryableDownloadException, TimeSpan pauseTimeSpan)
   at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
   at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)

Exception logged from: 
   at Altiris.PatchManagementCore.Utilities.File.Download(String, String, String, Boolean, Altiris.PatchManagementCore.Utilities.DownloadParameters)
   at Altiris.PatchManagementCore.Utilities.FileDownloader.Download()
   at Altiris.PatchManagementCore.Utilities.FileDownloader.DoDownloadProcedure(Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object)
   at System.Threading.ThreadHelper.ThreadStart(Object)

As for the ciphers


If I try to download in IE, I receive This Page can't be displayed.  Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try 

connecting to https://cdn.zoom.us again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

We have .NET 4.8

Steve Drimones's profile image
Steve Drimones

Sorry, here are the Ciphers:

I also added the .net regkey changes you provided, restarted the server, but same issue.
Igor Perevozchikov's profile image
Broadcom Employee Igor Perevozchikov

Hi Steve Drimones!

Thank you for provided list of disabled/enabled "Cipher Suites"!
Now I was able to reproduce your problem on Windows 2012 R2 Server for ITMS 8.6 RU3, using same enabled "Cipher Suites"
Observed that this problem is reproducible in case if following "Cipher Suites" are disabled.

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

Please add/enable both ciphers on your SMP Server, reboot it and try to download zoom package updates.


Best regards,
IP.

Steve Drimones's profile image
Steve Drimones

Igor,
  Adding those Ciphers fixes the issue within IE so that I can download it there and I do not receive an error when downloading via the console, but it does not seem to actually download the file.  Also, when I add those Ciphers, we can not connect to the Console remotely, only directly on the server.  Those Ciphers are only an issue with 2012 R2, correct? If we upgrade the Server to 2022 we should not need to add those.

Igor Perevozchikov's profile image
Broadcom Employee Igor Perevozchikov

1. On my side with these cipher suites, zoom patch packages are downloaded and available

2. I'm able to login to SMP Console using Google Chrome, MS Edge or I.E11 browsers from other remote Windows Servers (My default browser is Chrome on ITMS 8.6 RU3 - Windows 2012R2 Server)

3. For in-place OS upgrade from Windows 2012 R2 Server OS to Windows 2022 Server OS, I can't say what Cipher Suites there will be.
But after upgrade of Windows 2012 R2 Server OS to Windows 2016 Server OS, same cipher suites remained enabled (verified for my environment)

Best regards,
IP.

Steve Drimones's profile image
Steve Drimones

We finally upgraded the NS to Server 2022 and that fixed the issue.  We must have been missing specific Ciphers for Server 2012 R2 to connect and download correctly.  Thanks for all the insight and help everyone.