Missing common algorithm after disabling TLS 1.0 on Windows 2008 R2

Gmail · September 28, 2016, 6:53am

Hi All,

Due to the vulnerability issue with TLS 1.0, recently we disabled TLS 1.0 and enable TLS 1.2 on EventStore server by changing registry keys listed in following tables. The client connects to EventStore server by using .NET API.

EventStore Server Side

Folder
Key
Value
HKey_Local_Machine\SOFTWARE\Microsoft.NETFramework\v4.0.30319
SchUseStrongCrypto
1
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server
Enabled
0
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.2\Server
Enabled
1
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.1\Server
Enabled
1

Client Side

Folder
Key
Value
HKey_Local_Machine\SOFTWARE\Microsoft.NETFramework\v4.0.30319
SchUseStrongCrypto
1
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Client
Enabled
0
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.2\Client
Enabled
1
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.1\Client
Enabled
1
After making these changes, we get following errors when trying to save events into EventStore:

[PID:01696:021 2016.09.27 03:11:52.047 INFO  TcpConnectionSsl    ] [S172.21.11.13:64214, L172.21.14.17:2115]: Exception on EndAuthenticateAsServer.
System.ComponentModel.Win32Exception (0x80004005): The client and server cannot communicate, **because they do not possess a common algorithm**
   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   at EventStore.Transport.Tcp.TcpConnectionSsl.OnEndAuthenticateAsServer(IAsyncResult ar) in c:\projects\eventstore\src\EventStore.Transport.Tcp\TcpConnectionSsl.cs:line 154

We made some change to TcpConnectionSsl.cs by forcibly use TLS 1.2. It works fine after we replaced some dlls.

try
            {
 **                var enabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Default;**                sslStream.BeginAuthenticateAsServer(certificate, false, enabledSslProtocols, true, OnEndAuthenticateAsServer, sslStream);
             }
            catch (AuthenticationException exc)
            {
                Log.InfoException(exc, "[S{0}, L{1}]: Authentication exception on BeginAuthenticateAsServer.", RemoteEndPoint, LocalEndPoint);
                CloseInternal(SocketError.SocketError, exc.Message);
            }

We are looking forward to get more suggestions from you.
Thanks in advance.

Best Regards,

Zhengquan Yang

pieter.germishuys · October 3, 2016, 9:00am

Did you submit the following PR related to this issue? https://github.com/EventStore/EventStore/pull/1060

If that’s the case, thank you for the PR and will merge once the build is green. There is some work that needs to be done on our side to get the build green.

Thank you