shawn Posted April 18, 2015 Report Share Posted April 18, 2015 Seeing tons of these errors, "Could not create SSL/TLS secure channel", in the errors log (128 failed). Looks like each and every one that uses https since patch tuesday. Google suggests this may be an issue with the way Ketarin WebRequest object SecurityProtocol support. That is, in WebClient.cs, line 172 should be changed from this: ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls; To something like this: ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; That should allow TLS 1.2 and 1.1, which are the currently preferred protocols. Link to comment Share on other sites More sharing options...
shawn Posted April 20, 2015 Author Report Share Posted April 20, 2015 Here's an app profile that demonstrates the problem: <?xml version='1.0' encoding='utf-8'?> <Jobs> <ApplicationJob xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Guid="a30e2cce-3ab4-4069-8642-7f6dbf7119e1"> <Category>Tools</Category> <WebsiteUrl /> <UserAgent /> <UserNotes /> <IgnoreFileInformation>false</IgnoreFileInformation> <DownloadBeta>Default</DownloadBeta> <DownloadDate xsi:nil="true" /> <CheckForUpdatesOnly>false</CheckForUpdatesOnly> <VariableChangeIndicator>version</VariableChangeIndicator> <CanBeShared>true</CanBeShared> <ShareApplication>false</ShareApplication> <ExclusiveDownload>false</ExclusiveDownload> <HttpReferer /> <SetupInstructions /> <Variables> <item> <key> <string>version</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>RegularExpression</VariableType> <Regex>trimcheck v([\d\.]+)</Regex> <Url>https://github.com/CyberShadow/trimcheck/blob/master/README.md</Url> <Name>version</Name> </UrlVariable> </value> </item> <item> <key> <string>dl</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>RegularExpression</VariableType> <Regex>"(trimcheck[^"]+exe)"</Regex> <Url>http://files.thecybershadow.net/trimcheck/</Url> <Name>dl</Name> </UrlVariable> </value> </item> </Variables> <ExecuteCommand /> <ExecutePreCommand /> <ExecuteCommandType>Batch</ExecuteCommandType> <ExecutePreCommandType>Batch</ExecutePreCommandType> <SourceType>FixedUrl</SourceType> <DeletePreviousFile>true</DeletePreviousFile> <Enabled>true</Enabled> <FileHippoId /> <TargetPath>..\{category}\{appname:regexreplace:([\s\t\r\n\-\\&\/]+):_}-{version}.{url:ext}</TargetPath> <FixedDownloadUrl>http://files.thecybershadow.net/trimcheck/{dl}</FixedDownloadUrl> <Name>TrimCheck</Name> </ApplicationJob> </Jobs> In order to update it checks the value of the version variable against the readme file on github. Github imposes SSL via only TLS 1.2, TLS 1.1, and TLS 1.0 (per digicert). Since Github removed SSL3 support last October and Microsoft altered their TLS 1.0 support on Tuesday, the cypher support that Ketarin uses has been failing. It's possible that this is failing on every site that has removed SSL3 support and prioritizes a weak TLS 1.0 cypher. Link to comment Share on other sites More sharing options...
shawn Posted April 27, 2015 Author Report Share Posted April 27, 2015 Mea culpa. This was on me. My upgrade routine disabled weak cyphers on XP, but the check failed to properly check the OS, so it disabled RC2, RC4 and SHA for all OSes. Caused some other major issues too. Fixed it on my end, and everything is working again. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now