Environment

• EDR (formerly CB Response): All Versions
• EDR Sensor: 6.2.1 and Higher
• Microsoft Windows: Server 2008 SP 2

Symptoms

• CB Response: Windows sensor cannot connect to CB Response Server. 
• Sensor.log shows these errors:

Tid[067C] 2019-03-05 00:15:58 (e): WinHttpSendRequest() failed: WinError[0x00002EFE]
Tid[067C] 2019-03-05 00:15:58 (e): Unable to complete request from HTTP transaction
Tid[067C] 2019-03-05 00:15:58 (w): Failed to registerHTTPCode[2147954430] HrError[0x80072EFE]
Tid[067C] 2019-03-05 00:15:58 (i): failed to register HrError[0x80072EFE]
Tid[067C] 2019-03-05 00:15:58 (w): Unable to properly synch with server HrError[0x80072EFE]
Tid[067C] 2019-03-05 00:15:58 (e): WinHTTP indicated a TLS/SSL error, WinXP and Server2008 sensors require the Cb Response server enable TLS1.0 for secure communication.

Cause

Resolution

1. Enable TLS 1.2 on the Server 2008 environment
2. Install sensor versions within the 6.1.x branch 

Additional Notes

• TLS 1.0 is susceptible to man in the middle attacks with vulnerabilities such as BEAST, POODLE, DROWN, etc.Consider these vulnerabilities before requesting TLS 1.0 be enabled in the environment.
• We recommend moving to a newer OS that supports a more recent cryptographic protocol (TLS 1.2) in order to successfully establish a connection with the CB Response Cloud Server safely
• If enabling TLS 1.2, ensure the following keys and fields exist in regedit. Each field is of type Dword

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server 
    DisabledByDefault 0 
    Enabled 1 
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client 
    DisabledByDefault 0 
    Enabled 1

• Ensure .Net is on a TLS 1.2 supported version
• This issue can occur in on-prem environments depending on the security settings of the server
• Sensor version 6.1.x will still work with older versions of TLS
• TLS1.0 is not supported on CB Response Cloud

Related Content