Web Connection
"Your connection is not private"
Gravatar is a globally recognized avatar based on your email address. "Your connection is not private"
  Harvey Mushman
  All
  Jul 25, 2020 @ 08:47am

Starting this week, several of my users that use Android phones ran into a problem accessing my app over HTTPS. The certificate does not expire for over a year but the browser reported the connection was not safe. After a bit of research, I found a posting that is three days old and has a lot of other people claiming the same sort of problem.

The support.Google.com reference starts out by saying "Chrome not accepting certificates from any site except Google"... and is answered by someone writing the fix is:

The issue is coming with chrome version 84, Google chrome Deprecate TLS 1.0 and TLS 1.1... so for the sites which are using these TSL version you will face the issue. To overcome this issue open the chrome and paste "chrome://flags/#legacy-tls-enforced" and choose disable. And relaunch the chrome again.

Wondering if there is a more (or any) better way to fix this problem or is it just to new? I think it is going to be very hard to tell users before they land on my opening page which has a SSL certificate to disable a default browser option so they can see the page. Something about putting hte cart before the horse!

This is a Win 2008 R2 box.

Thanks for any suggestions.

Gravatar is a globally recognized avatar based on your email address. re: "Your connection is not private"
  Rick Strahl
  Harvey Mushman
  Jul 25, 2020 @ 01:18pm

You need newer certificates on your server.

Server 2008 has to explicitly enable TLS 1.2 if I recall.

See here:

Web Connection and TLS 1.2 Support

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: "Your connection is not private"
  Harvey Mushman
  Rick Strahl
  Jul 26, 2020 @ 11:37am

Thank you for pointing me to your white paper. It gave me enough information to understand what else I needed to search for...

I looked for a video to walk me through the various settings that are required. I discovered Windows Server - How to Enable TLS 1.2 Registry Script (Disable TLS 1.0, 1.1, RC4, SSL 2.0, 3.0, DH) by CodeCowboyOrg. Turns out he not only recommends a testing site SSL Labs but also provided a link to a .REG file ( download link here, then rename txt file to reg or see text below ) that is a script that can be run to make all the changes.

The first slLabs text before running the script returned an "F" score. I also tested West-Wind.com just for fun and it scored a "B". (not perfect ) After running the script as shown in the video, I reran the sslLabs test and this time I tied with West-Wind getting a "B" score. That's good enough for me!

I did have to restart the server after making the changes for them to take effect. But now the browser on the client no longer reports an error.

Not sure when TLS 1.3 will be required or if I will need a new SSL certificate before my current one expires in mid 2021.

Again as always... THANK YOU!!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000



Best... and stay healthy

Gravatar is a globally recognized avatar based on your email address. re: "Your connection is not private"
  Rick Strahl
  Harvey Mushman
  Jul 26, 2020 @ 01:26pm

TLS 1.3 is not going to be a thing for a while, but 1.2 is now pretty much universally required. I don't think you can get a non-TLS 1.2 certifiacte today so that's not really the issue. Support of the software is the key - once 1.3 becomes a requirement old software like server 2008's IIS may no longer work with those certificates.

As to certificates - LetsEncrypt is the way to go. This also makes sure certificates are rotated frequently and updated to latest standards. But keeping hardware and software somewhat updated I think is important if for nothing else than the potential pain of running into some incompatibilty that can't be worked around (or takes a long time to figure out). Case in point - TLS 1.2 works from Server 2012R2 forward without having to set any registry tweaks.

I try to make a point to stay no more than 2 versions behind in Server OS's...

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: "Your connection is not private"
  Harvey Mushman
  Rick Strahl
  Jul 27, 2020 @ 08:29am

Two versions noted... but what ever happened to "if it ain't broke, don't fix it", that is a rule of thumb that has worked with West-Wind products for over 20 years! I still have a WC2.x running and the customer is still very happy with it! 😃

There are only so many hours in the day for volunteering to upgrade sites that were done as a favor at the time and never grew into a money maker.

I've already moved two machines to 2012 and 2019 and as I have time 2008 will move over too.

Thanks for the help.

Gravatar is a globally recognized avatar based on your email address. re: "Your connection is not private"
  Rick Strahl
  Harvey Mushman
  Jul 27, 2020 @ 12:01pm

"if it ain't broke, don't fix it"

I think the 'two versions theory' feeds into that actually. By upgrading versions 2 version back you're avoiding breaking things to the point where you can't easily fix it.

With Windows 2 versions back usually means you can do an in place update, so if you're really attached to an existing setup and not willing to clean house then an upgrade can be relatively painless. More than 2 versions though you have to do a repave. And to be clear 2 versions back usually means ~5 years.

For Web Connection it's also a good idea to keep up to date at least to some degree. It's never too bad upgrading a few minor versions and perhaps one full version. But once you're upgrading multiple major versions it gets much more difficult to get current. In recent years Web Connection updates have been mostly transparent (post 5.5) with a few specific feature exceptions (ie. Web Control Framework).

+++ Rick ---

© 1996-2020