0

I'm struggling with a very weird issue on one of the WS 2019 machines. Basically, we're having trouble connecting the LOB app to their cloud service. At the first glance, the issue seems to be with TLS negotiation but I don't understand where it fails.

I've been able to narrow it down to a single endpoint. When trying to connect to https://collabmaintenance.myob.com/ using IE11 (consequently using the system libraries and schannel), it shows a "Can't connect securely to this site" error message. Firefox and Chrome when run from the same machine connect fine (resulting in 401 Permission Denied which is expected), so it's not a firewall issue. Connecting to, say, https://login.myob.com is successful using any browser.

Things I've looked at:

  • Packet trace shows that the connection is established successfully, however it's dropped by the client (local computer) immediately after receiving TLS 1.2 Server Hello (cipher suite chosen by the server is one of the suites offered in Client Hello). It's dropped before the server has a chance to send a certificate, so it's also not a certificate issue. (Edited to add: not "dropped" but "closed" as in client sends a FIN packet, not RST right away)

  • Checked schannel's ciphers and protocols using Nartac Software's IISCrypto (which looked fine), and applied a slightly less restrictive template allowing TLS 1.0 and above. Yes I know it's less secure, but I wanted to be sure it's not that.

  • Disable the Windows firewall completely. There is no antivirus running on the server either.

I've also tried to do a request using PowerShell as advised by someone, with

try { Invoke-WebRequest https://collabmaintenance.myob.com/ -UseBasicParsing } catch { write-host $_.exception }

And got the following

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

The error is the same whether I force TLS 1.0, 1.1 or 1.2 by issuing

 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls (or Tls11 or Tls12)

If I try to force SSL3 instead, the error message is different:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

What else do I need to check? I'm at my wits' end.

PS: Please try to understand the question before writing the answer. Low-effort answers like "use a different browser" or "check the SSL certificates" are not helping.

Draco-S
  • 101
  • 3
  • Define 'dropped' -- does your machine send an alert or anything else at TCP level or nothing, and FIN or RST? Is there anything in the event log at that time? SSLlabs(Qualys) reports among other issues that server doesn't support secure renegotiation (i.e. rfc5746) -- I don't know that schannel would or should abort for that, but it does suggest the server is either broken or way obsolete -- although it _identifies_ as Microsoft-IIS/10.0 . (It _could_ be something lame in _front_ of IIS10.) – dave_thompson_085 Mar 02 '21 at 07:40
  • Sorry, not "dropped" but more likely "closed". The client sends a FIN packet to gracefully close the connection. And I really doubt that the lack of secure renegotiation would be an immediate drop from schannel, it's not *that* picky. – Draco-S Mar 02 '21 at 09:06
  • You may not like it, but try MS Edge instead of IE. IE is soon going to be End of Life. I have seen similar issues with sites, they work fine on IE using Server 2008 R2, but when accessed from Server 2019, they fail. – Abu Zaid Mar 06 '21 at 17:46
  • @AbuZaid To quote myself, "Low-effort answers like "use a different browser" or "check the SSL certificates" are not helping." – Draco-S Mar 06 '21 at 23:42
  • As I said, you may not like it. We still find people running Windows XP in 2021 and having expectation that their Operating system should get support from Community forums. – Abu Zaid Mar 08 '21 at 14:20
  • As I said, please try to understand the question. IE11 here is used as a troubleshooting tool because of the specific properties that other browsers (including Edge) lack, namely, using the schannel library instead of OpenSSL. Additionally, how would switching to Edge help with Invoke-WebRequest test? – Draco-S Mar 09 '21 at 06:32

0 Answers0