logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
LarryM  
#1 Posted : Friday, February 10, 2017 8:37:36 PM(UTC)
LarryM


Rank: Guest

Joined: 2/10/2017(UTC)
Posts: 4
Location: Irving, TX

I've made the necessary changes to get our self-hosted version running on port 443/8041 and am redirecting port 80 to 443 per the instructions found elsewhere in these forums. After making the configuration changes I go to www.ssllabs.com and run a test against the server and the best I can get it a "B."

I've tried to disable ciphers and protocols using IISCrypto utility and haven't had any luck. The server quits answering and I have to restore from a snapshot to get thing functioning again.

Anyone had any luck disabling TLS 1.0 and old RC4 ciphers?

Thanks
netrelay  
#2 Posted : Saturday, February 11, 2017 9:50:32 AM(UTC)
netrelay


Rank: Newbie

Joined: 2/7/2014(UTC)
Posts: 2
Italy

Does your SC installation run on a Linux box? ;-)
LarryM  
#3 Posted : Monday, February 13, 2017 2:10:23 PM(UTC)
LarryM


Rank: Guest

Joined: 2/10/2017(UTC)
Posts: 4
Location: Irving, TX

It's running on a Windows VM.
Scott  
#4 Posted : Monday, February 13, 2017 2:19:21 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,438
United States

Thanks: 3 times
Was thanked: 299 time(s) in 257 post(s)
Hmm, you may want to revisit why IISCrypto wasn't working, using that utility I can disable the rc4 cipher suite without causing any problems on my test installation.

When you say the "server quits answering" are you talking about the VM itself or just the webpage? Is anything thrown into the Application log in the Event Viewer?
ScreenConnect Team
LarryM  
#5 Posted : Monday, February 13, 2017 3:23:11 PM(UTC)
LarryM


Rank: Guest

Joined: 2/10/2017(UTC)
Posts: 4
Location: Irving, TX

It was just the webpage not answering. Logging into the server was fine. Didn't see anything in event logs for schannel or screenconnect either.

I've gone back and tried several different options using IISCrypto and was able to get RC4 disabled but am still working on TLS 1.0. Seems like it might be related to the "Set client side protocols" button but I'm unsure of how that figures into the overall picture. If I can get a clear concise configuration that works I'll post back for the benefit others.

Scott  
#6 Posted : Wednesday, February 15, 2017 2:55:43 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,438
United States

Thanks: 3 times
Was thanked: 299 time(s) in 257 post(s)
So, disabling TLS 1.0 is very problematic. Right now ClickOnce still relies upon it to establish a secure connection for the vast majority of users. Up until .NET 4.6.2(ish) ClickOnce only supported TLS 1.0, but now they support newer versions. If you are confident that every user who joins a Support or Meeting session has the latest version of .NET then disabling TLS 1.0 shouldn't cause a problem. If you're not sure, it's probably best to leave it enabled for the time being.
ScreenConnect Team
LarryM  
#7 Posted : Wednesday, February 15, 2017 6:54:20 PM(UTC)
LarryM


Rank: Guest

Joined: 2/10/2017(UTC)
Posts: 4
Location: Irving, TX

I've successfully disabled it so far without issue. Most of what we use is "access" instead of "support."

You are correct regarding .NET versions and I have encountered this with other applications as well. To my understanding .NET 4.6 is the first version that supported TLS 1.2 natively. Earlier versions could be made to work with code changes but I'm unsure of what is applicable to what version.

This push by PCI standards to disable TLS 1.0 causes problems far and wide. In fact many applications may never be updated to comply. I understand the motivation, however, in practical terms it's much easier said than done.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.