none
NetTCP communication with TLS1.2 only, Must enable FIPS? otherwise it doesn't work ? RRS feed

  • Question

  • Hi 

    I  used WCF to build a service in my software, and used NetTCP with transport security between service and client, recently my customer ask if they can enable TLS1.2 only, disable all others, so i did a test, but if i didn't enable FIPS on my local security policy console, it didn't work. does anyone konw how to make this work without enable FIPS? Is there a official document from MS to tell what we can do ?

    My configure steps  are below:

    1. Two machines both of them are installed windows 2012R2

    2. Only enable TLS 1.2 protocol, disable others via editing system registry. then restart machines.

    3. If I enable FIPS on both machine, everything works fine.

    4. disable FIPS on  WCF service machine, WCF client will exception :

    The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '01:10:00'. System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '01:10:00'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
       at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
       at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
       at System.ServiceModel.Channels.SocketConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
       at System.ServiceModel.Channels.DelegatingConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
       at System.ServiceModel.Channels.ConnectionStream.Read(Byte[] buffer, Int32 offset, Int32 count)
       at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
       at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
       at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.LayeredChannel`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

    5. Disable FIPS on WCF client machine, WCF client will throw exception:

    The client and server cannot communicate, because they do not possess a common algorithm; System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

    Server stack trace:
       at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
       at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
       at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
       at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
       at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
       at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
       at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.LayeredChannel`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)


    Love life,Love work,Love World

    Wednesday, November 9, 2016 3:56 AM

Answers

  • Hi Edward,

    Thanks for you response.

    I have found the reason of this issue. Recently I have checked all my code , I found there is a function setting using default protocal forcely, it mean it always using TLS1.0/SSL3.0. I remove this code, and it works fine now without FIPS.

    the conclusion is if you want NetTCP to use TLS1.2, you must run you application on .net 4.6 framework. On other .net framework(3.5.1+hotfix/4.5), you must enable FIPS, then it is down to TLS1.0, otherwise disable FIPS, it throws exception "The client and server cannot communicate, because they do not possess a common algorithm"

    Best Regards,

    Bruce Wang


    Love life,Love work,Love World

    • Marked as answer by Bruce Wang 001 Sunday, November 20, 2016 3:00 PM
    Sunday, November 20, 2016 3:00 PM

All replies

  • Hi Bruce,

    Did your WCF Service run under .net 4.5 or above? Have you set SecurityProtocol with Tls12?

    I suggest you refer the link below to check whether it will work for you.

    # Disabling SSL v3 on Windows 2008 R2, 2012 R2 Server & ASP.Net Applications

    https://ericniemiec.wordpress.com/2015/02/15/disabling-ssl-v3-on-windows-2008-r2-2012-r2-server-asp-net-applications/

    Best Regards,

    Edward

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, November 10, 2016 5:15 AM
  • Hi Edward,

    Thanks a lot for you quick response.

    I saw the link you provided, i did same configuration. My service and client all are installed on windows 2012 R2 and .net 4.6.2.  

    The weird thing is WCF host in IIS with basicHTTPBinding it works, but if you used netTCPBinding and host on a windows service application, it threw the exception above. you only can eable FIPS to let it work.

    I also find this link from technet https://technet.microsoft.com/en-us/library/dd560644%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396  it mentions enable FIPS as a step.

    Another thought is I saw MS SQLServer also needs hotfix if you only enable TLS1.2, but after apply the hotfix it works fine without enabling FIPS, so i am not sure if there are some other ways for netTCP binding?

    Best Regards,

    Bruce Wang.

     


    Love life,Love work,Love World

    Friday, November 11, 2016 3:55 AM
  • Hi Bruce,

    Thanks for sharing, it is so helpful.

    Based on your link, it seems we need to force computer adherence to TLS 1.2 under NetTcpBinding.

    If you uninstall the hotfix, and then Open Internet Explorer. On the Tools menu, click Internet Options. Click the Advanced tab, and then select the Use TLS 1.2 check box.

    Will it work?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, November 11, 2016 5:18 AM
  • Hi Edward,

    Just clarify, I mean SQLServer works fine after apply SQLSERVER hotfix for TLS1.2. https://support.microsoft.com/en-us/kb/3135244   My application still didn't work.

    I do all steps as your mentioned above (change checkbox in Advanced tab), but if i uninstalled hotfix, SQL engine service cannot start.

    you can find error log in eventviewer:

    but if I enabled FIPS, it works fine. or I disable FIPS but apply hotfix, it still works fine.

    I think SQL Server in backend should use samilar tech like socket/WCF NetTCPBinding. it should have some change in SQLserver Hotfix to let SQLServer can communicate without FIPS.

    BTW, I think using TLS1.2 in Internet Options is only for IE as a communication clien application, it's not setting for global right?

    Best Regards,

    Bruce Wang


    Love life,Love work,Love World


    Sunday, November 13, 2016 3:23 AM
  • Hi Bruce,

    I do not know how it works under SQL Server.

    Based on this link System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, the best practices for use with TLS is setting FIPS to Enabled.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, November 14, 2016 1:39 AM
  • Hi Edward,

    Thanks for you response.

    I have found the reason of this issue. Recently I have checked all my code , I found there is a function setting using default protocal forcely, it mean it always using TLS1.0/SSL3.0. I remove this code, and it works fine now without FIPS.

    the conclusion is if you want NetTCP to use TLS1.2, you must run you application on .net 4.6 framework. On other .net framework(3.5.1+hotfix/4.5), you must enable FIPS, then it is down to TLS1.0, otherwise disable FIPS, it throws exception "The client and server cannot communicate, because they do not possess a common algorithm"

    Best Regards,

    Bruce Wang


    Love life,Love work,Love World

    • Marked as answer by Bruce Wang 001 Sunday, November 20, 2016 3:00 PM
    Sunday, November 20, 2016 3:00 PM