0

We currently have 2 environments TEST and PRODUCTION

Recently when we set TLS on our TEST environment per this document https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/(.NET)_Enable_SSL_Protocols_for_your_Integrations_-_TLS_1.1_and_TLS_1.2

Using Netmon the TLS handshake log is captured (i.e. client is 1.2 to server 1.0 thus will use 1.0)

But on PRODUCTION it doesn't get captured (i.e. client is 1.2 to server 1.0 thus will use 1.0 , but on Netmon it doesn't set as 1.2)

The question I'm asking is , Is there a sequence for a TLS handshake to happen i.e. start of with 1.2 if not move on to 1.1 etc

TLS 1.2 as first choice

If this is the case I am wondering if is there's some other setting we should be looking at or is this a Netmon issue ? Or something else entirely

someguy
  • 995
  • 3
  • 11
  • 22
  • Network Monitor has no reason to miss any TLS packet. Paste screen shots to support what you said, or say it in a clearer way. Your current statement is ambiguous. – Lex Li Mar 17 '18 at 01:00
  • Likely, TLS 1.2 is not properly enabled/configured. It's not easy. We just wrote an article about this, including using Netmon to verify TLS is working: http://blog.thelevelup.com/pci-security-is-your-restaurant-ready/ – user24601 Mar 19 '18 at 01:18

1 Answers1

0

First, make sure TLS 1.2 is properly enabled and configured. Unfortunately, Microsoft does not make this very easy.

To enable TLS 1.2 for applications using Secure Channel (Schannel), the following Schannel registry keys must be set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:00000001 
    "DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] 
    "Enabled"=dword:00000001 
    "DisabledByDefault"=dword:00000000

To enable TLS 1.2 for applications using .NET Framework 4.5 and higher, the following .NET Framework strong cryptography registry keys must be set:

On 32-bit and 64-bit systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

On 64-bit systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

See this article on enabling TLS 1.2 on Windows and using Netmon to verify TLS 1.2 is working: http://blog.thelevelup.com/pci-security-is-your-restaurant-ready/

You can download TLS Patcher from GitHub to help with configuring TLS 1.2.

user24601
  • 1,662
  • 1
  • 12
  • 11