TLS 1.2 update

With new PCI compliance requirement -- we are trying to update webserver and database server  with TLS 1.2.
When we enable TLS  1.2 on both server then getting attached error. below are some details of DB server and web server.

Database server – windows server 2008 SP1
Database version – SQL server 2008 R2
Web server – windows 2012 SP1 and IIS 8.0

DB server  TLS Setting --       TLS 1.0(disable),       TLS 1.1(disable),       TLS 1.2(enable)
WebServer TLS Setting --       TLS 1.0(disable),       TLS 1.1(disable),       TLS 1.2(enable)

error message coming when trying to run application(when application trying to connect with DB server)
"The client and server cannot communicate, because they do not possess a common algorithm."
iteicAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterCommented:
A lot of web applications still may not support TLS 1.2. I'd recommend re-enabling TLS 1.1. While TLS 1.2 is encouraged, TLS 1.1 is still an acceptable minimum standard for PCI DSS 3.2 compliance. Just provide at least one example to your PCI auditor of why you need TLS 1.1 enabled and they should be fine with it.

The PCI requirements in question here are 2.2.3, 2.3, and 4.1. All of these refer to appendix A2 of the PCI DSS which, unfortunately, only states "SSL and early TLS should not be used as a security control to meet these requirements." So, what the heck is "early TLS"? It's not defined in the actual DSS anywhere. Fortunately, this link explains it well enough:
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
0
iteicAuthor Commented:
we using third party payment gateway for credit card transaction on our website, i don't think that third party will enable TLS 1.1 just for us.
0
Russ SuterCommented:
Which 3rd party gateway is it?

It won't do any harm to ask them if TLS 1.1 is supported on their gateway. It's not a PCI DSS violation to enable TLS 1.1 but I know some entities are extra sensitive. You might also check to ensure your own portal has TLS 1.2 support fully implemented. Furthermore, believe it or not, your error could be a case where the payment gateway doesn't implement TLS 1.2 at all and instead wants a TLS 1.1 connection. Remember that payment gateways have many clients and they tend to need to support the broadest possible audience while still remaining compliant.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

iteicAuthor Commented:
Authorize.net is payment gateway.
0
Russ SuterCommented:
OK, yeah. They're one of the biggest. I assume you're testing against their sandbox? Their documentation states that TLS 1.0 and 1.1 are disabled. Next question, what .NET framework version are you using?

For .NET 3.5 you'll need a patch.
For .NET 4.0 you need to specify TLS 1.2 explicitly in your code
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

Open in new window

For .NET 4.5 you also need to specify but it's slightly different
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Open in new window

.NET 4.6 should use TLS 1.2 by default.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Russ SuterCommented:
Also, if you're using .NET 4.0 you might still have to enable TLS 1.1 on your own server for things to properly negotiate.
0
iteicAuthor Commented:
No its not sandbox account, because when i am running app thru my development machine using production authorize.net setting(which is window 10 machine) credit card transaction is working, but when deploying application on server with same production settings, it is not working.

I have my application developed application using .Net framework 4.5 and in IIS it is targeting on 4.0. As even after installing .net framework 4.5 in IIS 8.0 i am not getting 4.5 option to target my application.
0
Russ SuterCommented:
Installing .NET 4.5 won't matter if your web application is compiled for .NET 4.0. Did you add the ServicePointManager.SecurityProtocol command to your web application?
0
Kyle AbrahamsSenior .Net DeveloperCommented:
Are updates done on the server?
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Also please see:
https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/

The instructions are for 2008 R2 but should also apply to 2012.

Please make sure you have access to the box and can enable RDP in TLS 1.1 as those instructions will not allow any TLS 1.0 connections.
0
Mark WillsTopic AdvisorCommented:
0
iteicAuthor Commented:
I added ServicePointManager.SecurityProtocol in my application but application work on development machine, but not on production server.

I don't know what i am missing on server.
0
Russ SuterCommented:
Well you're a little closer. Do you have TLS 1.1 enabled in your development environment and not on your server? Even though you're specifying TLS 1.2 you may still need TLS 1.1 enabled in order for things to negotiate properly. Again, it's not a PCI DSS 3.2 violation to enable TLS 1.1.
0
iteicAuthor Commented:
But authorize.net is not allowing TLS 1.1 at all, so i need to make sure my app run without it.
0
iteicAuthor Commented:
0
Russ SuterCommented:
I understand that. However you may need to enable TLS 1.1 in order for the .NET framework to properly negotiate to TLS 1.2. Just because Authorize.net has disabled TLS 1.1 on their end it doesn't mean you have to disable it in your application. Just include the code (which you have done) that specifies TLS 1.2 communication to specify TLS 1.2 but leave TLS 1.1 enabled on your own web application.
0
iteicAuthor Commented:
when running application and looking event viewer on webserver  --- below 2 error is showing

Event ID 36887-- A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Event ID 36871 -- fatal error occurred while creating an SSL client credential. The internal error state is 10013.
0
Russ SuterCommented:
OK that error combined with the fact that you don't see any issues on your development machine leads me to think that FIPS is getting in the way (which it has a very annoying tendency to do). You should take a look at your server settings and see if FIPS is enabled. If it is, disable it, reboot your server, and try again.
0
iteicAuthor Commented:
yes, based on another article i enabled it on web server and DB server, but still having issue in CC transaction.

but with this change my application at least able to connect to DB server. earlier when i disable TLS 1.0, 1.1 and enable TLS 1.2 on web server then my application were not able to connect to DB server. so at least that's working.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.