msxml6.dll error '80072f7d' An error occurred in the secure channel support

Question

I have seen this question floating around but no answer as yet. My server is using TLS 1.2 as is the server I am requesting from

<!--#INCLUDE virtual="/json/jsonObject.class.asp"-->
<%
    Session.LCID=2057
    Dim jsonString, jsonObj, outputObj

    Set xmlhttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
    xmlhttp.SetOption 2, xmlhttp.GetOption(2)
    xmlhttp.open "POST", "https://xxx.domain/api/auth", 0
    xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    xmlhttp.send "ClientId=X&ClientSecret=Y&GrantType=Z"
    jsonString = xmlhttp.responseText    
    response.write(jsonString)
    Set xmlhttp = Nothing 

    set jsonObj = new JSONobject
    set outputObj = jsonObj.parse(jsonString)

    'response.write(outputObj("access_token"))
%>

This gives me

msxml6.dll error '80072f7d'

An error occurred in the secure channel support

I've seen some suggestions on dropping server from ServerXMLHTTP so I did that and I get

Microsoft VBScript runtime error '800a01b6'

Object doesn't support this property or method: 'xmlhttp.GetOption'

I resolve that and then it says SetOption isn't supported. I remove that line entirely and then it says ClientID is not being sent

When I try and use https://markohoven.com/2020/03/06/msxml2-serverxmlhttp-and-tls1-2/ I get

Microsoft VBScript runtime error '800a0005'

Invalid procedure call or argument: 'XMLServer.Option'

I then tried the below

<%
Set winhttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
winhttp.open "GET", "https://howsmyssl.com/a/check", False
winhttp.Send
Response.Write winhttp.responseText 
%>

This gives the below that suggests I am not using TLS 1.2?

{
    "given_cipher_suites": ["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_RC4_128_MD5"],
    "ephemeral_keys_supported": true,
    "session_ticket_supported": false,
    "tls_compression_supported": false,
    "unknown_cipher_suite_supported": false,
    "beast_vuln": true,
    "able_to_detect_n_minus_one_splitting": false,
    "insecure_cipher_suites": {
        "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA": ["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],
        "TLS_RSA_WITH_3DES_EDE_CBC_SHA": ["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],
        "TLS_RSA_WITH_RC4_128_MD5": ["uses RC4 which has insecure biases in its output"],
        "TLS_RSA_WITH_RC4_128_SHA": ["uses RC4 which has insecure biases in its output"]
    },
    "tls_version": "TLS 1.0",
    "rating": "Bad"
}

The server I am using Windows Server 2008. Is there anything else I can do?

Answer 1

You need to upgrade your Windows server to TLS 1.2 (any version is fine), follow these steps:

Classic ASP Outbound TLS 1.2

I then recommend you continue use MSXML2.ServerXMLHTTP.6.0, without the setoptions and getoption - they are not required