cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

TLS 1.2 Issue - in Classic ASP environment

I manage a few sites that still use Classic ASP.

The method of connection is via a MSXML2 component pointing to https://secure.authorize.net/gateway/transact.dll

Is there a simple change i can make in this code somewhere (see below), to test via the sandbox, and see if the server is TLS 1.2 compliant?

 

Thanks!

 

[code]

set objHttp = server.Createobject("MSXML2.ServerXMLHTTP")
if err.number <> 0 then
    Response.write(err.Description)
    response.End()
end if
'on error goto 0

objHttp.open "POST", strPost, false
objHttp.Send strRequest

'Get response
objHttpStatus = objHttp.status
strResponse   = objHttp.responseText
set objHttp      = nothing

[/code]

snooper
Member
71 REPLIES 71

All you need is to install this driver:

 

https://www.microsoft.com/en-us/download/details.aspx?id=36434

 

 

Thank you.  I will let the server people know.

 

Regards,

Alexis

What total frustration!!  The server people worked with Microsoft so now SSL 3.0 and 2.0 are disabled.  The SSL check at https://www.ssllabs.com/ssltest/ shows every configuration setting is โ€œNoโ€ except for TLS 1.2, which is "Yes".

The website is still working with ssl3.0 and ssl2.0 turned off, which was our most recent problem.  The server people said SQL service pack3 was required and Native client 11.

I thought we would be good now but the test program doesn't work nor does authorize.net. (I tried a client purchase but no transaction was sent to authorize.net)

Here's my test program:
<%
'test_tls_032618.asp
Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText & "<br>"
Set objHttp = Nothing
%>

Here's the error message:
msxml6.dll error '80072f7d'
An error occurred in the secure channel support
/test_tls_032618.asp, line 5

Any ideas?  It seems like the sql server or the server still has a problem.

Thanks,
Alexis

Try setting the object in your script with one of these lines rather than the one you are using now.

 

Set objhttp = Server.CreateObject("MSXML2.XMLHTTP.6.0")

 

or this one

Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")

 

If neither of them work, let us know what versions of server you are on.  2008 or 2012 and what is the database server?

I tried the 2 additional object settings.  Neither worked.  I'm showing below the setting I used and what error I got.

Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")

msxml6.dll error '80072f7d'

An error occurred in the secure channel support

/test_tls_032618.asp, line 5

 

Set objhttp = Server.CreateObject("MSXML2.XMLHTTP.6.0")

msxml6.dll error '80070005'

Access is denied.

/test_tls_032618.asp, line 5

 

Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")

WinHttp.WinHttpRequest error '80072f7d'

An error occurred in the secure channel support

/test_tls_032618.asp, line 5

 

Here's information on our software:

We have SQL Server 2012 Express installed.

Here's what I see through SQL Mgmt Studio properties:

Product Name: Microsoft SQL Server Express Edition (64-bit)

Product Version: 11.0.6020 SP3

 

The server has Windows 2012 Server installed.

Here's what I see when I check under the Control Panel/Systems:

Windows Server 2012 Standard

Platform: NT x64

Operating System: 6.2 (9200)

 

I also sent information to our server people and copied MS (who is helping them) to let them know that their changes did not fix the authorize.net connection issue.


Thanks,
Alexis

 

Try re-enabling TLS 1.0 and if that makes the script work then you still do not have the SQL Native 11 Driver installed.

 

If the script works after enabling TLS 1.0 then your problem is between your webserver and your SQL server and you should still be able to complete Authorize.net transactions.

The server people installed the driver at the link you indicated but that did not resolve the issue.

 

I also tried re-enabling TLS 1.0 but the script still wouldn't work. Please note that I am rebooting the server each time after changing settings in IIS Crypto.

 

After enabling TLS 1.0, when I run the script, I get the old message again about cipher suites:

{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA":["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],"TLS_RSA_WITH_3DES_EDE_CBC_SHA":["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],"TLS_RSA_WITH_RC4_128_MD5":["uses RC4 which has insecure biases in its output"],"TLS_RSA_WITH_RC4_128_SHA":["uses RC4 which has insecure biases in its output"]},"tls_version":"TLS 1.0","rating":"Bad"}

 

I wish I had better news.

 

Thanks,

Alexis

 

 

This indicates that your webserver is not Defaulting to TLS 1.2

 

Please verify that both of these registry keys are set to: 0x00000800

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols
 
Value: 0x00000800
 

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols
 
Value: 0x00000800

I verified the settings using regedit.

 

I was unable to insert the screenshots I took but they both look like this:

Value: 0x00000800 (2048)

Does the rest of the site work now?  i.e.  can you do everything except post a payment to Authorize.net?

 

If so, then you just need to figure out why the server is not obeying the DefaultSecureProtocols registry keys.  I would check those keys again.  Make sure that the path and spelling are correct and that the key is spelled exactly as above with the proper Case.