Environment
- App Control Agent: All Versions
- Microsoft Windows: All Supported Versions
Symptoms
Trace.bt9 with high debugging enabled shows the following SSL error code:
Server Communication: WaitForResponse End: m_bIsSleeping[0] IsSleeping[0] GetHttpStatus[0] GetWinHttpError[0] GetSslError[2147483648] DataAvailable[0]
Server Communication: WinHTTP communication error: 12175
Cause
There is a mismatch of the TLS ciphers elliptic curves configuration between the agents and the server systems.
Resolution
- Use a tool like IISCrypto to display and modify the cipher suites on the system (https://www.nartac.com/Products/IISCrypto/Download)
- Open IISCrypto on both the agent and server and check if there are any P521 ciphers enabled on one or the other, e.g.
- Agent has:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
- Server has:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
- Disable any of the P521 ciphers by unchecking them in IISCrypto, so only matching ciphers are enabled
- Reboot the system
Additional Notes
- If the ciphers reset and the P521 get enabled again after system reboot then the ciphers are enforced by a GPO that needs to be modified
- Using IIS Crypto, compare a connected systems' settings to ensure the non-connected device uses the very same protocols and cipher suites
Related Content
