0

I have a django-python server with a VBA front end connecting using winhttp and REST API. So, in this case the requests sent and received are controlled by us and per-determined.

A while ago when our servers were updated to TLS from SSL, we had a lot of users facing "connection terminated abnormally" error when using VBA Winhttp and REST APIs. We used the existing microsoft article to update machines of users on windows 7 and problem was resolved. More recently, I have had a few cases of same error where the patch/update have been applied before or its application did not fix the issue.

I don't see their incoming traffic on our server log at all (some are using proxy servers) but even proxy server ip is not there.

I am trying to find out where to look or what else can cause this issue so I can track it down. Any idea/suggestion is appreciated.

Source : Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows

Pᴇʜ
  • 56,719
  • 10
  • 49
  • 73
Moe
  • 991
  • 2
  • 10
  • 24
  • Have you changed the registry keys manually as well? Or did you only use the quick fix on the website? – Alex de Jong Mar 22 '19 at 15:32
  • The users are remote and not tech savy, so nothing on user registry and only the quick fix. The quick fix has been sufficient in many cases and also one of the users with issue had the quick fix before and was working fine. – Moe Mar 22 '19 at 15:33
  • You have to change the registry key values as well. The quickfix will only create them but will not always have the correct default value. We deal a lot with this lately since we use winhttp and recently decided to only allow TLS 1.2. – Alex de Jong Mar 22 '19 at 15:34
  • I see, That's great to know. How about if I set it from within the frond-end VBA code using hreq.Option(WinHttpRequestOption_SecureProtocols) = 512 or 2048 ? Could that bypass the registery default in case it's not correct ? I know 512/2048 only are defined when the patch and quick update are applied. So I might have to do some error handling. – Moe Mar 22 '19 at 15:43

1 Answers1

0

This is for reference for future visitors with similar issue:

I have been facing the issue of TLS on Windows 7 clients for a while and did one round of fixing based on Microsoft article summarized below:

Step 1. Get Microsoft Update KB3140245: Download relevant (32-bits or 64-bits of user's Windows version) Microsoft Security Protocol Update and install if not already install.

Step 2. Download Microsoft Easy Fix: Download Microsoft “Easy Fix” from Microsoft Support Article, and execute to set TLS 1.1+ as default.

However, later on, I had another round of similar issues which made me realize the fix tool on Microsoft page will not set all the registry keys (missing SChannel Registry Keys). So, I managed to put some scripts together to allow the full fix by setting both Internet Options and SChannel. The SChannel registry keys for TLS1.1/1.2 needs to be added to set enable TLS by default for Winhttp.

WinHttp Keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
==> DWORD DefaultSecureProtocols=0x00000A00 (32-bits and 64-bits)

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
==> DWORD DefaultSecureProtocols=0x00000A00 (64-bits)

SCHANNEL Keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 
==> DWORD DisabledByDefault=0x00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
==> DWORD DisabledByDefault=0x00000000

Comprehensive Fix: The Microsoft patch does not fix all the registry entries to update WinHTTP defaults and skip over SChannel entries. So, if the two-step fix abpve did not resolve the issue, this github project contains powershell scripts to download and apply all the required registry modification listed above and might be helpful for a more comprehensive one-shot fix: Winttp-TLS

Moe
  • 991
  • 2
  • 10
  • 24