cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

TLS 1.2 Issue - in Classic ASP environment

I manage a few sites that still use Classic ASP.

The method of connection is via a MSXML2 component pointing to https://secure.authorize.net/gateway/transact.dll

Is there a simple change i can make in this code somewhere (see below), to test via the sandbox, and see if the server is TLS 1.2 compliant?

 

Thanks!

 

[code]

set objHttp = server.Createobject("MSXML2.ServerXMLHTTP")
if err.number <> 0 then
    Response.write(err.Description)
    response.End()
end if
'on error goto 0

objHttp.open "POST", strPost, false
objHttp.Send strRequest

'Get response
objHttpStatus = objHttp.status
strResponse   = objHttp.responseText
set objHttp      = nothing

[/code]

snooper
Member
71 REPLIES 71

How are you setting IIS Crypto Settings?

 

Are you selecting the "Best Practices" button and then de-selecting TLS 1.1 ?  And are you selecting the check the box to "Set Client Side Protocols?"

 

I'll try to include an image here but it may not work:

 

iiscrypto.PNG 

Yes, the rest of the site is working.  We are able to do everything except connect to authorize.net. 

 

Every time I make a change and reboot, I am testing the website functionality through the client frontend.  All updates to SQL Server through the frontend asp classic codes works correctly.

 

I also confirmed the registry settings again.  I carefully followed the path again to make sure our paths match yours.  They are both correct -Wow6432Node is set because we have a 64 bit system.  The only difference between your values and ours is that yours do not have (2048) after the value and ours do have it.

 

Your value:

Value: 0x00000800

 

Our value: (in both settings)

Value: 0x00000800 (2048)

 

I opened IISCrypto.   It looks as though the โ€œBest Practicesโ€ button was not checked before so I checked it and Cipher and other settings changed.  I unchecked TLS 1.1 and applied and rebooted.  When I checked  https://www.ssllabs.com/ssltest/, now our websiteโ€™s rating is an โ€œAโ€ (always โ€Bโ€ before today) and everything looked good except that I got the same error messages with my test code, and I again tried all 3 ways of setting the object, as you suggested.  And, yes, the "Set Client Side Protocolsโ€ button is checked.

 

I then proceeded to test every combination of TLS settings using IIS Crypto; only 1.2 enabled, then 1.2 and 1.0, and then 1.2 and 1.1.  I rebooted each time after changing settings in IIS Crypto and then I immediately retested the website.  All website functionality continued to work after each change.  But my test program did not work.  And, as I said, each time I test, I test all 3 possible set statements.

 

Now when I test with TLS 1.2 and 1.0 enabled, I still get the cipher โ€œbadโ€ message but it is much smaller.  Maybe thatโ€™s because I used the โ€œBest Practicesโ€ setting and that changed the settings that were previously there.

 

{"given_cipher_suites":["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{},"tls_version":"TLS 1.0","rating":"Bad"}

 

Hereโ€™s my test code again:

<%

'test_tls_032618.asp

Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")

'Set objhttp = Server.CreateObject("MSXML2.XMLHTTP.6.0")

'Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")

objHttp.open "GET", "https://howsmyssl.com/a/check", False

objHttp.Send

Response.Write objHttp.responseText & "<br>"

Set objHttp = Nothing

%>

 

I will let our server people know what you said about the registry settings not seeming to be recognized.  Although I know how to check regedit, I would not be comfortable making any registry settings on this server as I do not manage the server.  They have given me access to IISCrypto so that is why I am able to make those changes, reboot and test over the last few days. 

 

I have screenshots of everything but I have been unable to insert any screenshots into this forum.  It keeps giving me an HTML error anytime I use their icon to insert an image. 


Thanks again.  I really appreciate your help.  I feel bad that we are taking so much of your time but I really don't know what else to do.  Hopefully the server people will find something with the registry.

 

Alexis

One other thing to look for is the Application Pool Setting for your website.  Make sure it is using 4.0 and not 2.0

 

If you don't know where that is open IIS Manager (Internet Information Services (IIS) Manager)

 

Click the down arrow on to the left of the server name and then highlight "Application Pools"

 

Double click on your website name on the right and see if it is set to 2.0 or 4.0.  Should be 4.0.

 

If for some reason you cannot change this from 2.0 to 4.0 then you need to set these registry values:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001 

If you just change the App Pool setting to 4.0 then you should only need to restart IIS.  If you add the registry entries then a reboot would be needed.

I checked the IIS Manager.  I wish I could figure out how to insert images into the posts in this forum so I could show you what I see but I still haven't been able to get the images to work.  Keep getting error about "invalid HTML code" after inserting an image.

 

In IIS Manager on our website, the application pool settings are for the server, not the website.  Below Application Pools, it says "Sites" and then below that is "Default Web Site" and then I see all the folders that appear in Windows Explorer under inetpub (which makes sense).

 

Here's how IIS Manager looks:

Connections

  Start Page

  Our ServerName

     Application Pools

     Sites

          Default Web Site 

              App_Data

              Aspnet_client

              ..all other folders under inetpub

 

 

Under Sites, there are no application pool settings.

 

But when I look at Application Pools, I see this:

Name                             Status       .NET Framework Version Managed Pipeline Mode       Identity                                   Applications

.NET v2.0                       Started            V2.0                                               Integrated      ApplicationPoolIdentity              0

.NET v2.0  Classic          Started            V2.0                                               Classic          ApplicationPoolIdentity              0

Clssic .NET AppPool     Started            V2.0                                               Classic           ApplicationPoolIdentity                    0

DefaultAppPool              Started            V4.0                                               Integrated     LocalSystem                                      2

mstest                             Started            V2.0                                               Integrated     ApplicationPoolIdentity                    1

 

So this looks okay, right?

Thanks,

Alexis

In IIS Manager under Sites, right click your website and then click on Manage Website / Advanced Settings

 

The first line should show what Application Pool is being used by your website. 

 

What browser are you using?  It is possible that the problem is with your browser not supporting any TLS version beyond 1.0.  Have you tried running your scripts from a different browser or computer?

 

One other registry key you may need since your server is 2012 and not 2012r2 is the SchUseStrongCrypto key.

 

Here are instructions to add that key.

 

Enable the SchUseStrongCrypto property in the Windows registry to use as the default protocols: TLS 1.0, TLS 1.1 and TLS 1.2

If you want to make sure strong cryptography is enabled and the SSL protocols for your requests to be TLS 1.0, TLS 1.1 and TLS 1.2, please follow this steps:

  1. Start the registry editor by clicking on Start and Run. Type in "regedit" into the Run field (without quotations).

  2. Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file.

    Note: You will be editing the registry.  This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.

  3. Browse to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319

  4. Right-click on the right pane and create a new DWORD (32-bit) Value with Name SchUseStrongCrypto.

  5. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.

  6. Repeat steps 4 and 5 for the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319

  7. Reboot the server

 

 

It works!!!!!!!!!!!!!!!!!!

 

Thank you so much.  I can't thank you enough for your help.  Thank you...thank you.


We did not need to make the latest registry change.

 

Here's the last tweak needed. 

  '3/29/18 change statement for tls 1.2 for authorize.net

  '3/29/18 Set xml = Createobject("MSXML2.ServerXMLHTTP")

  Set xml = Server.CreateObject("MSXML2.XMLHTTP.6.0")  '3/29/18

 

I don't know why this change in the test program to the ssl test page doesn't work but it works to authorize.net  This is the only "CreateObject" setting that works for authorize.net from server.  

 

I had several test programs but only one that actually tested a call to authorize.net.  I thought I had tested everything in all my test programs each time I tested but, after so many different tries and changes, I missed this different test program.  After reading the posts again in this thread and reading posts in other forums, I woke up this morning and just tried it and it worked.

 

Wow, after almost 4 weeks of trying different things, it works.

 

Thank you again for sticking with us!


Regards,

Alexis

 

Thats great!  Now if you want to put the icing on the cake try disabling TLS 1.0 and see if it works.  If it does not work then you still have a problem between your webserver and your database server.

 

Technically you are good as far as Authorize.net is concerned.  You are communicating with them via TLS 1.2. 

 

If you want to be PCI compliant then you would need to remove TLS 1.0 from the server completely.

 

If you are still having problems with the database connection after removing TLS 1.0 post your database connection string with the username and password masked so we can look at it.

Thank you!  TLS 1.0 is disabled.  Right now only TLS 1.2 is enabled in IISCrypto.  And to confirm it, everything is "No" on the ssl security test except for TLS 1.2 and the website now has an "A" rating on the ssl security test.

 

Regards,

Alexis

 

Awesome!  Pat yourself on the back.  You are the one who stuck it out and finished the job.

Back at you!  You stuck it out with us.  I don't know what we would have done without your help.  Your helpful and kind replies gave me hope that we would eventually get there.

 

Although the vendor managing the server and a third party software product, and I are the original creators of this website system from 12 years ago, and we know it well, we relied on your help to work through each issue to get TLS 1.2 working. 

 

We are all very grateful to you.

 

I hope that our back and forth will help others who may still be struggling with this same issue so they have many different things to try.  And they know they will eventually get it working.

 

Best regards,

Alexis