-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Probing not ok but all others steps ok (windows 7) #7
Comments
Did you try to do any mitifations (such as registry changes or GPEDIT changes) before making this output? If yes, do you have the output of the orginal = first run? Windows 7 needs specific updates applied before it supports the cipher suites required by the Azure DevOps. Please look at this docs: https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-7 |
Hello, and thank you, the very first run was : All changes has been made according to instructions (regedit + gpedit) : I've added these 2 values TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 actual SSL Cipher Suites field value: but I had to remove the last ciphers due to max length in the field "SSL Cipher Suites" I'm looking closely the doc : https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-7 |
Great you kept the screenshot! OK, so this is indeed the case when OS simply does not support given cipher suites and even when you configure them explicitly (as the script suggested as mitigation) will not enable them. Since WS 7/2008 are so long after end of life, the script does not count with this. Remove the mitigation you did in GPEDIT. |
The script extended with a fall-back mitigation displayed at legacy OS versions (pre 10.x versions) which may lack some updates needed to support the modern cipher suites. |
Hello, this is the result of the script, don't know what to do..
PowerShell 7.2.3
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS C:> (Invoke-WebRequest -Uri dev.azure.com).StatusDescription
Invoke-WebRequest: Unable to read data from the transport connection: An existin
g connection was forcibly closed by the remote host..
PS C:> (Invoke-WebRequest -Uri status.dev.azure.com).StatusDescription
Invoke-WebRequest: Unable to read data from the transport connection: An existin
g connection was forcibly closed by the remote host..
PS C:> .\AzureDevOpsTls12Analysis.ps1
Azure DevOps TLS 1.2 transition readiness checker v. 2022-05-09
| Probing Azure DevOps sites |
Probing: status.dev.azure.com
ISSUE FOUND: This may be TLS compatibility issue!
Probe failed when TLS-negotiating to [::ffff:13.107.6.183]:443. Error: Unable to
read data from the transport connection: An existing connection was forcibly cl
osed by the remote host..
=========================================
| Analysis of TLS 1.2 compatibility: OS |
PS Version: 7.2.3
PS Edition: Core
Win Build Version: 6.1.7601.0
CLR Version:
For old Windows versions (WS 2012, Windows 7 and older) TLS 1.2 must be explicit
ly enabled...
TLS 1.2 client usage enabled.
Running Cipher Suite check (BCrypt)...
At least one of the TLS 1.2 cipher suites supported by Azure DevOps enabled on t
he machine.
Matching cipher suites: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES
_128_GCM_SHA256
Running Group Policy check...
Group Policy cipher suites override defined: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS
_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_C
BC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH
AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RS
A_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_RSA
WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_A
ES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH
AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE
ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P
384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_S
HA_P384 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS
_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WI
TH_3DES_EDE_CBC_SHA
Missing cipher suites:
No need to change the GP override since cipher suites required by Azure DevOps a
re already enabled.
Running Key Exchange check...
Diffie-Hellman key exchange allowed.
Key Exchange check passed.
Running Elliptic Curve check...
Skipping elliptic curve check due to OS version...
| Analysis of TLS 1.2 compatibility: .NET Framework |
.NET Framework release is 4.7+ (release 461814)
TLS 1.2 enforced for applications targetting .NET Framework 4.0/4.5.x
TLS 1.2 enforced for applications targetting .NET Framework 4.0/4.5.x (32bit app
on 64bit OS)
TLS 1.2 enforced for applications targetting .NET Framework 3.5
TLS 1.2 enforced for applications targetting .NET Framework 3.5 (32bit app on 64
bit OS)
All mitigations required to ensure TLS 1.2-compatibility of legacy .NET applicat
ions are in place.
The text was updated successfully, but these errors were encountered: