TLS 1.2 issue on Windows 2012 R2

0

Hi, Our application ( Microsoft ASP.NET + background services ) runs on a VM Windows 2012 R2. We use the AWS email notification service to send out emails from the application.

The emailing service has recently raised a TLS 1.2 issue. We attempted to enable TLS 1.2 on the server, however, as a result of this the error message still occurs.

Any suggestion would be appreciated! Thanks

  • Hi, can you update your question and publish the error message that you still get?

  • I've checked the logs, cannot find the exact statement. However, it is mentioned that the current TLS version is not supported by the notification service and TLS 1.2 is required on the server. When the code is debugged locally, no issue at all. According to the doc, TLS 1.2 should be enabled by default - it doesn't appear to be.

3 Answers
0

Without familiarity with your application, I'm guessing it's using the AWS SDK for .NET to send the notifications to an Amazon SNS topic, and that's the part that is failing. As you said, TLS 1.2 is enabled by default in Windows, including in the end-of-life, unsupported WinSrv 2012 R2 version that you're running, having new, unpatched vulnerabilities emerge every month. The AWS SDK additionally does what it can to request the operating system explicitly to use TLS 1.2, as explained in this documentation article: https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/enforcing-tls.html

However, ultimately, AWS SDK for .NET relies on the TLS implementation of Windows (SChannel), so if Windows has been configured not to use TLS 1.2, the SDK won't be able to use it either.

If you can't move your application to a new server running WinSrv 2022 or another supported version of Windows (which you really, really should do), but if you can update the AWS SDK for .NET in your application to the latest version, I'd suggest that as the quick and otherwise beneficial first step. Assuming that you're still using .NET Framework, also update it to the last (no longer just the latest) version on the server, and recompile your application with that .NET Framework version as the target. That'll give you the benefit of all the fixes or workarounds AWS and Microsoft might have implemented:

If that doesn't help, then while it can be tedious to do, I suggest you check the TLS settings in the Windows registry on the server to verify that TLS 1.2 hasn't been disabled in Windows. Note that the settings in registry might get overwritten by a GPO coming from AD or set locally on the server, in which case you'll have to fix the GPO. This could explain why your application works on your development machine but not the end-of-life production server; the dev machine could be running with the default settings for Windows that enable TLS 1.2, while the server could have an old, custom configuration that restricts it to TLS 1.0 only. https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings

EXPERT
Leo K
answered 2 months ago
0

The fact that enabling TLS 1.2 on your Windows 2012 R2 server didn't resolve the TLS 1.2 issue with the AWS email notification service suggests there might be more to the problem. Here are some debugging steps you can take to identify the root cause and fix the email-sending issue:

  1. Verification and Troubleshooting:

Double-check TLS Version: Ensure you've correctly enabled TLS 1.2 on the server. Use tools like OpenSSL s_client -tls1_2 -connect smtp.amazonaws.com:465 to verify the server's supported TLS version. Review Error Message: Analyze the exact error message you're encountering. It might provide more specific clues about the issue. 2. Potential Causes and Solutions:

.NET Framework Version: Older versions of the .NET Framework might not support TLS 1.2 by default. Consider upgrading to a newer version (.NET 4.6 or later) that offers built-in TLS 1.2 support. System Configuration: Some group policies or registry settings might be overriding the enabled TLS 1.2 protocol. Check for any such policies or settings related to TLS/SSL protocols. Third-Party Libraries: If you're using third-party libraries for email functionality, ensure they are compatible with TLS 1.2. Update them if necessary. AWS Region: Verify that your code is connecting to the correct AWS region's SMTP endpoint. Different regions might have slight configuration nuances. 3. Additional Resources:

Microsoft Docs - .NET Framework Schannel Security: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client (This resource provides guidance on enabling TLS 1.2 in .NET Framework) AWS Documentation - Email Sending: https://aws.amazon.com/ses/ (This document covers using the AWS email notification service) 4. Debugging Tools:

Network Capture Tools: Tools like Wireshark can capture network traffic to inspect the communication between your application and the AWS email server. This can reveal details about the attempted TLS handshake and potential errors. Logging and Tracing: Implement verbose logging or tracing in your application to capture details about the email-sending process and any encountered errors. This can help pinpoint where the issue is occurring within your code. By systematically following these steps and leveraging the provided resources, you should be able to identify the reason behind the persistent TLS 1.2 error and enable successful email sending with the AWS email notification service from your ASP.NET application on Windows 2012 R2.

profile picture
answered 2 months ago
0

Can you share the full text of the error message you are having problems with TLS 1.2?

A common problem for users with older operating systems is that they may not update their operating system. As a result, the trusted root certificates stored in the OS may become outdated, and the latest certificates cannot be checked properly, resulting in certificate errors.

profile picture
EXPERT
shibata
answered 2 months ago