Disabling TLS 1.0 may causes issues with Protect and Patch for Windows Servers

Version 7

    Purpose

     

    The purpose of this article is to go over the issues that may arise when TLS 1.0 is disabled in the environment and how to get Shavlik Protect and Patch for Windows Serversf to work with TLS 1.2.

     

    Symptoms

     

    Per PCI requirements, all SCHANNEL protocols are vulnerable, except for TLS 1.2. Organizations may already have a GPO in place to disable all the protocols, except for TLS 1.2. Essentially, it disables SSLV2, SSLV3, TLS1.1, TLS1.0. Issues that can arise when these channels are disabled are:

     

    • Connection to Shavlik Protect SQL database cannot be established:
    Attempting to recover from a broken connection in the database connection pool. Attempt: 1, connection state: Closed, error: System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.) ---> System.ComponentModel.Win32Exception (0x80004005): No process is on the other end of the pipe
    • Commands to Shavlik Protect Agents are unsuccessful - Agents did not respond:
    System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://consolename.FQDN:3121/ST/Console/STS/ConsoleSTS. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. --->System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
    • Cannot download patches from vendors:
    The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
    • Deployment Tracker gets stuck at Scheduled or Executing when deploying to target machines

     

    Cause

     

    TLS 1.0 is not enabled.

     

    Resolution

     

    You must either enable TLS 1.0 or configure TLS 1.2 correctly using Enabling TLS 1.2 For Shavlik Protect .

     

    Affected Product(s)

     

    Ivanti Patch for Windows Servers 9.3

    Shavlik Protect 9.x