locked
Background Intelligent Transfer and TLS 1.2 RRS feed

  • Question

  • If this is the wrong forum to ask this question then please point me in the right direction...

    I have a .NET application that uses the Background Intelligent Transfer service to upload files from a client Windows 7 X64 machine to a Windows 2012 R2 server. The server is locked down for TLS 1.2 for compliance with PCI 3.1, i.e. protocols SSL 2.0/3.0, TLS 1.0/1.1 have been explicitly disabled in the reigstry using IISCrypto and TLS 1.2 enabled. The client has a trusted Root CA certificate for the server installed on it.

    The application uses the IBackgroundCopyManager and IBackgroundCopyJob COM interfaces to create the job and add it to the queue. In the Bits-Client event log, I see the following warning after it has started the the transfer (note that addresses and filenames are for illustrative purposes only):

        BITS stopped transferring the test.tmp transfer job that is associated with the https://server/folder/temp.tmp URL. The status code is 0x80072EFE

    The error code translates to:

    ERROR_WINHTTP_CONNECTION_ERROR
     12030
     The connection with the server has been reset or terminated, or an incompatible SSL protocol was encountered. For example, WinHTTP version 5.1 does not support SSL2 unless the client specifically enables it.

    This makes sense, as I can see in Wireshark that the BITS request is only ever trying to use TLS 1.0 in the handshake protocol with the server and this has been disabled.

    My question is therefore: is it possible to enable the use of TLS 1.2 by the Bits-Client and if so, how is it done? 

    The COM interface does not provide any methods to set the protocol used and I cannot see anything in the registry settings for the BITS service either. It is definitely not a certificate issue as the transfers work as soon as TLS 1.0 is enabled on the server.

    Wednesday, August 26, 2015 8:41 AM

All replies

  • Hello,

    I cannot find any methods for TLS with you. Seems it's hard to do it programmatically. Do you still need a way to achieve target by code?

    Friday, August 28, 2015 3:13 AM
  • Just a shot in the dark here.  Perhaps disabling the TLS 1.0 protocol on the client machine using the Internet Options Advanced settings will force BITS to use the TLS 1.2 protocol?
    Friday, August 28, 2015 5:19 AM
  • From a similar problem on StackOverflow, and copying Diego's answer

    -------------------------- 

    BITS goes over WinHTTP and uses the default WINHTTP_OPTION_SECURE_PROTOCOLS. The problem is that your client is running Windows 7. From MSDN:

    By default only SSL3 and TLS1 are enabled in Windows 7 and Windows 8. By default only SSL3, TLS1.0, TLS1.1, and TLS1.2 are enabled in Windows 8.1 and Windows 10

    See this support article for instructions on how to enable TLS 1.1 and TLS 1.2 on Windows 7 machines: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

    Wednesday, July 18, 2018 10:36 PM