How to force TLS 1.2 Client-Server Communication
Issue
When you disable SSL 3.0, TLS 1.0, and TLS 1.1 and then Enable TLS 1.2 on the server, agents return the following error when you register:
Message: Unable to register with server: System.AggregateException: One or more errors occurred. System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://SERVERNAME/Ams/Agent/AgentRegistration3.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
Resolution
Arellia uses the Background Intelligent Transfer Service (BITS) to upload files from agents to the server. BITS does not support TLS 1.2 on Windows 7.
To force the Arellia agents to use TLS 1.2, do the following:
- Install the latest Arellia Agent.
- Download and install .NET 4.5 on the endpoint.
- Download and install the .NET 4.5 Hotfix.
- Restart the Arellia Agent service.
Additional information
.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, will enable TLS 1.2 in all installed .NET 4.0 applications on that system.