winhttp.dll not working with TLS1.1 and TLS1.2 on windows 2008 r2 x64

hello,

I use WinHttp.WinHttpRequest.5.1 object and the PCI DSS provider upgrade to TLS 1.1 and TLS 1.2

I use winhttp.dll on windows 2008 r2 x64 to connect to payment provider.

so I try to use any of this options:

obj.Option(9) = 2048  'TLS 1.2

obj.Option(9) = 512 'TLS 1.1

and I get an error.

I upgrade all the kb realted but I get the same result

I login to my windows 2008 r2 server and notice that Internet browsers load the https URL using TLS 1.1 and TLS 1.2 very well.

here is a sample of my test code:
set obj = CreateObject("WinHttp.WinHttpRequest.5.1")
obj.Open "POST", "https://www.paymnt.com/"
obj.SetTimeouts 30000, 60000, 60000, 60000
obj.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
obj.Option(6) = false
obj.Option(9) = 512 'TLS 1.1   - error
'obj.Option(9) = 2048 'TLS 1.2 - error

when i try to use 512 (TLS 1.1) or 2048 (TLS1.2) I get raise error:
Microsoft VBScript runtime error: Invalid procedure call or argument: 'obj.Option'

the error is only in Win2008 R2 x64 and on Win7 x64

If I set "obj.Option(9) = 128" it is working, but 128 mean TLS 1.0 and I will not be able to use it since it is vulnerable.

On Win8/Win8.1/Win 2012(R2) is working fine.


here are my dll versions I test on

Win7 winhttp.dll x64:

version: 6.1.7601.17514

Date modified: 2010/11/20

Size: 434KB

- work only with .Otion(9) = 128 ' TLS1.0

Win2008 R2 winhttp.dll x64

version: 6.1.7601.17514

Date modified: 2010/11/21

Size: 434KB

- work only with .Otion(9) = 128 ' TLS1.0

Win2012 winhttp.dll

version: 6.2.9200.16451

Date modified: 2012/11/06

Size: 694KB

- work only with .Otion(9) = 512 and 2018 ' TLS1.1 and TLS 1.2

so microsoft is not updateting windows7 x64 and Windows 2008 R2 winhttp library ?

Microsoft force us to move to windows 2012(R2) ?
catalinmafteiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BembiCEOCommented:
IS TLS 1.1. and TLS 1.2 enabled on these machines?
Have a look into the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
See the picture what values you can put there....
TLS12_Enable.PNG
0
catalinmafteiAuthor Commented:
hei Bembi,

thx for your reply.

Yes TLS 1.1 and TLS 1.2 are enabled on my server both on Client & Server side.

here are the print sceens
win2008r2_ecurity_protocol_seetings.png
TLS-Client-configuration.png
TLS-Server-configuration.png
0
BembiCEOCommented:
On my servers TLS 1.2 is 1, not FFFF
Is TLS 1.0 still enabled? (following the first picture, I guess not, as the key is there, a value is set).

What happens if you call it from the development machine?
Is it enabled there as well?
Does it work on the dev machine, but not on the 2008 R2 machine?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

catalinmafteiAuthor Commented:
hei Bembi,

thx for your reply.

Yes, TLS 1.0 is disabled.
I try on TLS 1.2 with 1 but is still error.

My dev server is the same with production serer: Win 2008 R2 with the same configuration and is NOT working.

I test and for me:
- Winhttp is NOT working with TLS 1.1 and TLS 1,2 on Win7 and Win2008R2.
- Winhttp is working with TLS 1.1 and TLS 1.2 only on Win8/8.1/2012/2012(R2).
TLS-1.0-Server-Configuration.png
0
BembiCEOCommented:
I interpret your constellation, that your server is the client, which should connect to a payment provider and should not use TLS 1.0, but a version above...
You also said, you disabled TLS 1.0 in the registry (for the client ?!?).
So now I'm wondering, why it connects with  TLS 1.0 as you said.
As you are the client, remember there are also settings in IE to allow TLS / SSL versions from the browser side.

I would first inspect the target side. That it works from WIN 8 and above doesn't really mean that you really use the higher TLS, because they may make a fallback if allowed, if the target side doesn't support it.
So make sure, the target accepts TLS 1.1 or TLS 1.2, there is a appropriate certificate and the hash is not weak. On the server side are cipher-suites offered in a defined order. If the cipher suites are weak, the client may even deny the connection with TLS 1.1 and higher enabled.

You can check your target server (to see what is offered) with
https://www.ssllabs.com/ssltest/analyze.html?d=server.to.test&latest
replace server.to.test with your target.


I hardened my server some time ago and in this step, I disabled TLS 1.0, changed the cipher-suite order (moved the more secure to the top and removed weak ones, changed all certs to minimum 2048 and changed some other keys like
AllowInsecureRenegoClients, AllowInsecureRenegoServers.

The point with W2008 R2 and Win7 is, that TLS 1.0 is set as default due to the fact, that at that time not all servers supported higher TLS versions. But also they published some security fixes, what complicates the point as possibly more configuration is needed. For newer OS, MS possibly has changed the defaults, but a fallback maybe necessary to be compatible to older services.

You may read this here:
https://support.microsoft.com/en-us/kb/980436
https://support.microsoft.com/en-us/kb/2643584 --> See SendExtraRecord

Cipher Suites here:
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

All TLS registry keys...
https://technet.microsoft.com/en-us/library/dn786418.aspx

Another hint I found it, the winhttp.dll itself. If you open the DLL in Visual Studio Obejct browser, you may see if you find contants for TLS 1.1 and TLS 1.2 (WinHttpRequestSecureProtocols). If not, you may not be able to use this DLL.
You may try to put a newer DLL into your program directory and reference it in your code.
But not sure what is the impact doing this.
1
catalinmafteiAuthor Commented:
yes this was my question ...

I load the WINHTTP.DLL in Visual Studio Obejct browser and TLS 1.1 and TLS 1.2 are not included.

I did a print screen.

should I start a new "question" how to upgrade the WINHTTP .DLL to a version that use TLS 1.1 and TLS
1.2 ??
winhttp-settings.png
0
BembiCEOCommented:
As you can see the values are not included.
What you may try is to copy the DLL from a 2012 R2 system into the program folder of your application and reference it form there. At least hi is an architecture, what Microsoft defined to allow side by side DLLS without conflicting with DLLs provided by the OS.
But this also mean, your app cannot rely on OS standards and the DLL is never updated.

To upgraded eth DLL from the OS will not be a supported solution.
But I also will not exclude, that there is a hotfix which may cover this issue.

The side by side solution may work if there are no other dependencies inside the DLL to newer OS functionality reflected by additional DLLs from the OS.

It is just a try.

If this doesn't work, yes feel free to find other experts which have other ideas, but don't expect too much, my feeling is that MS would have updated it by regular updates. I guess that the topic maybe to new to be reflected in 2008 (this is 7 years ago now).
1
catalinmafteiAuthor Commented:
hi Bembi

I try to copy but is not working.

I think Microsoft is forcing us to move our systems from Win2008 R2/Windows 7.
0
BembiCEOCommented:
At least lets say, they do not put too much effort into older systems to improve the things. They earn money with selling new OS.  Fixing issues on old systems doesn't really raise the balance....

You want to say that side by side do not make a difference or it just doesn't work at all?

The call
set obj = CreateObject("WinHttp.WinHttpRequest.5.1")
reflects to the registry registration of the DLL and there is also registered the path, where the DLL resides.
So, putting a newer version into the program directory doesn't change anything...

You have either to call the DLL directly
...I guess it is LoadLibrary
... what is late binding....
... and you do not have any support (programming help) because it will be an anonymous object. So the declaration will be
Dim obj as Object
but the code in general is the same....

or
you have to create a fake registration (i.e. WinHttp.WinHttpRequest.5.2 or something similar so that the Create Object can find a different object in the registry which points to another DLL. Dependent form the number of registry settings maybe some hand work....
0
catalinmafteiAuthor Commented:
I know Windows 2008 R2 and Windows 7 are still supported by MS and we PAID A  LOT of money for it.
I ask the same question all over the Internet and MS websites but no answer for me.

I had to find my own solution and I build my own dll with COM interface that support TLS 1.1 and TLS 1.2


thx you for your time and reply
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Martin LissOlder than dirtCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Anton PalyokCommented:
I found a solution with a simple registry fix.

1) Register TSL 1.2 Protocol:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000


2) Configure TLS 1.2 to be default in 32 bit applications:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

3) Configure TLS 1.2 to be default in 64 bit applications:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

4) Restart server



If you need support of TLS 1.1 only then:
- On step 1) above simply change "TLS 1.2" to "TLS 1.1" and apply new registry fix
- On steps 2) and 3) above change value "00000800" to "00000200" and apply new registry fix

If you need support of both TLS 1.1 and 1.2 then
- Repeat step 1) from above two times two register both protocols
- On steps 2) and 3) use value "00000A00" (what is combination of "00000800" + "00000200")

Code for verification:
<%
Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText
Set objHttp = Nothing
%>

At the end of response you should see version of TLS used by request
"tls_version":"TLS 1.2"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.