Purpose
The purpose of this article is to go over the issues that may arise when TLS 1.0 is disabled in the environment and how to get Shavlik Protect and Patch for Windows Servers to work with TLS 1.2.
Symptoms
Per PCI requirements, all SCHANNEL protocols are vulnerable, except for TLS 1.2. Organizations may already have a GPO in place to disable all the protocols, except for TLS 1.2 (namely SSLV2, SSLV3, TLS1.1, and TLS1.0). Issues that can arise when these channels are disabled include:
- Deployment Tracker gets stuck at Scheduled or Executing when deploying to target machines.
- Agent installation gets stuck at 50%
- Connection to Shavlik Protect SQL database cannot be established:
Attempting to recover from a broken connection in the database connection pool. Attempt: 1, connection state: Closed, error: System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.) ---> System.ComponentModel.Win32Exception (0x80004005): No process is on the other end of the pipe
- Commands to Shavlik Protect Agents are unsuccessful - Agents did not respond:
System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://consolename.FQDN:3121/ST/Console/STS/ConsoleSTS. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. --->System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
- Cannot download patches from vendors:
The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
Cause
No secure communication channel can be established, either because no form of TLS is enabled, or whatever is enabled is not properly configured.
Resolution
You must either enable TLS 1.0 or configure TLS 1.2 correctly using Enabling TLS 1.2 for Shavlik Protect and Ivanti Patch for Windows.
Affected Product(s)
Ivanti Patch for Windows Servers 9.3
Shavlik Protect 9.x