topic TLS 1.2 Windows 2008 SP2 server in Integration and Testing

TLS 1.2 Windows 2008 SP2 server

zAlien — Fri, 02 Mar 2018 23:30:47 GMT

Hello everyone,

I still have a box running Windows server 2008 SP2. Deployed .net framework 4.5.2 and verified that indeed the .net framework version used is 4.5.2

I have disabled all protocols except TLS 1.2 (set the Enabled registry key for the other to 0). Set the SchUseStrongCrypto key under WOW6432Node\Microsoft\.NETFramework\v4.0.30319 to 1. Set ciphers and cipher suites order.

Unfortunately I am still not able to use authorize.net anymore (using secure2.authorize.net/gateway/transact.dll). I have ASPDotNetStoreFront 9.5.1 ecommerce solution and according to them is TLS 1.2 ready. When I try to process a payment I get "Error connecting to payment gateway".

I've put the following code:

<%
Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText
Set objHttp = Nothing
%>

in a quick test asp file and when I hit that from a remote location I get the following:

{"given_cipher_suites":["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{},"tls_version":"TLS 1.0","rating":"Bad"}

If I go to https://howsmyssl.com/a/check on the server in Chrome it comes back reporting TLS 1.2.

SSLlabs gives me 100 for Certificate and Protocol Support, 90 for Key Exchange and only 70 for Cipher Strength most likely due to Window 2008 not supporting GCM ciphers.

This is what I have for Protocols reported by ssllabs:

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

And this is what I have for cipher suites:

Cipher Suites

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 (eq. 15360 bits RSA) FS256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 (eq. 15360 bits RSA) FS128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

Any ideas what might be happening and if there is anything I can do short of migrating? Do I have to have GCM ciphers?

Thank you so much for any help!!!! It has been some crazy now more than 24h.

Re: TLS 1.2 Windows 2008 SP2 server

zAlien — Fri, 02 Mar 2018 23:43:02 GMT

Interesting enough using C# it reports similar to the browser:

using System;
using System.Net;
using System.IO;

namespace howsMySSL
{
    public partial class Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
            var response = WebRequest.Create("https://www.howsmyssl.com/a/check").GetResponse();
            var responseData = new StreamReader(response.GetResponseStream()).ReadToEnd();
            Response.Write(responseData);

        }
    }
}

{"given_cipher_suites":["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.2","rating":"Probably Okay"}

Re: TLS 1.2 Windows 2008 SP2 server

zAlien — Fri, 02 Mar 2018 23:53:44 GMT

Arghh, as soon as I post here and go back to try again, of course it works ---sighs---

The one thing that I did different after reading a different post here (THANK YOU SO MUCH FOR THAT) was setting this registry key:

Set the SchUseStrongCrypto key under WOW6432Node\Microsoft\.NETFramework\v4.0.30319 to 1

That defaults the .net framework to TLS1.2

Again, thank you for that hint!!!!!