[RESOLVED] WAPT 2.5.5.15691: TLS error with waptdeploy.exe

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Answer
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

July 25, 2024 - 2:36 PM

Good morning,

WAPT Server: Up-to-date Debian 11
Client workstation: Windows 11 23H2
WAPT 2.5.5.15691 Discovery

Following the upgrade of my WAPT server from 2.5.5.15640 to 2.5.5.15691 this morning, I get an error message when I try to update the WAPT agent on the workstations using waptdeploy.exe:

Code: Select all

waptdeploy.exe --waptsetupurl=https://srvwapt.mydomain/wapt/waptagent.exe --hash=942cde31e7b6144a873b0daad14db24abb040042fb6ed27ee84a76d60918aa7b --minversion=2.5.5.15691 --tasks=autorunTray,installService,installredist2008,!autoUpgradePolicy --wait=15
{"waptsetupurl":"https://srvwapt.mydomain/wapt/waptagent.exe","hash":"942cde31e7b6144a873b0daad14db24abb040042fb6ed27ee84a76d60918aa7b","minversion":"2.5.5.15691","tasks":"autorunTray,installService,installredist2008,!autoUpgradePolicy","wait":"15"}
WAPT version: 2.5.5.15640
WAPT required version: 2.5.5.15691
Wapt agent path: C:\Users\toto\AppData\Local\Temp\waptagent.exe
Wget new waptagent from https://srvwapt.mydomain/wapt/waptagent.exe
Trying to reach https://srvwapt.mydomain/wapt/waptagent.exe...
Expecting hash sha256: 942cde31e7b6144a873b0daad14db24abb040042fb6ed27ee84a76d60918aa7b
Using proxy :
Error trying to get https://srvwapt.mydomain/wapt/waptagent.exe : Error downloading https://srvwapt.mydomain/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <srvwapt.mydomain>: ComputeAndSendAnswer returned 80090302 [SEC_E_UNSUPPORTED_FUNCTION], System Error 1 [ERROR_INVALID_FUNCTION]]... sleeping
Delete sheduled task "fullwaptupgrade"
An unhandled exception occurred at $00323D02:
Exception: Error downloading https://srvwapt.mydomain/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <srvwapt.mydomain>: ComputeAndSendAnswer returned 80090302 [SEC_E_UNSUPPORTED_FUNCTION], System Error 1 [ERROR_INVALID_FUNCTION]]
  $00323D02
  $00325402
I deleted and regenerated the Nginx SSL certificates under /opt/wapt/waptserver/ssl/ using the postconf.sh script => SAME
I also tried replacing the Wapt server's FQDN with the IP address => SAME RESULT (see viewtopic.php?p=11185&hilit=%5BENetSock ... led#p11185)
I forced the reinstallation of the tis-waptserver and tis-waptsetup packages and restarted the postconf => SAME RESULT
I'm out of ideas, has anyone else encountered this problem please?

Thank you in advance and have a good day
Last edited by TomTomGo on July 29, 2024 - 3:41 PM, edited 1 time.
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

July 25, 2024 - 3:24 PM

Well, after consulting the CHANGELOG for version 2.5.5.15691, I saw this:

[IMP] waptserver: on Linux: use TLS1.3 for nginx on linux

So I switched back to TLS 1.2 in /etc/nginx/sites-enabled/wapt.conf:

Code: Select all

ssl_protocols               TLSv1.2;
After restarting the Nginx services, it's working again :)
High
User avatar
dcardon
WAPT Expert
Messages: 1931
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

July 25, 2024 - 5:15 PM

Hi Thomas,

it seems that Windows 11 doesn't enable TLS 1.3 by default (there are registry keys that need to be changed).

WAPTAgent uses OpenSSL for all cryptography, but WAPTDeploy, to be lighter, relies on the Windows schannel implementation to avoid having to include OpenSSL (which would double the size of waptdeploy...). And the default schannel configuration on Windows 11 doesn't have TLS 1.3 enabled (there's a registry key/GPO that needs to be set for this). Note: Edge uses TLS 1.3 because it's based on the Chromium TLS layer and not the Windows one, so this is a bit misleading. Note 2: To further mislead the unsuspecting sysadmin, TLS 1.3 has been enabled on Windows 10 for several years now, even though Microsoft says it isn't, and it's not enabled on Windows 11, even though Microsoft says it is[1]...

We switched to TLS 1.3 for the CSPN certification process, but since TLS 1.2 is still accepted by ANSSI, I think we'll modify the Target of Evaluation to specify TLS 1.2; it will be simpler.

Thank you for bringing this to our attention.

Best regards,

Denis

[1] https://learn.microsoft.com/en-us/windo ... on-support
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

July 25, 2024 - 5:31 PM

dcardon wrote: Jul 25, 2024 - 5:15 PM Hello Thomas,

it seems that Windows 11 doesn't enable TLS 1.3 by default (there are registry keys that need to be changed).

WAPTAgent uses OpenSSL for all cryptography, but WAPTDeploy, to be lighter, relies on the Windows schannel implementation to avoid having to include OpenSSL (which would double the size of waptdeploy...). And the default schannel configuration on a Windows 11 machine doesn't have TLS 1.3 enabled (there's a registry key/GPO that needs to be set for that). Note: Edge uses TLS 1.3 because it's based on the Chromium TLS layer and not the Windows one, so this is a bit misleading. Note 2: To further mislead the unsuspecting sysadmin, TLS 1.3 has been enabled on Windows 10 for several years now, even though Microsoft says it isn't, and it's not enabled on Windows 11, even though Microsoft says it is[1]...

We switched to TLS 1.3 for the CSPN certification process, but since TLS 1.2 is still accepted by ANSSI, I think we'll modify the Target of Evaluation to specify TLS 1.2; it will be simpler.

Thank you for bringing this to our attention.

Best regards,

Denis

[1] https://learn.microsoft.com/en-us/windo ... on-support
Hello Denis,

Thanks for your feedback, you're right, it's not something you could make up, and it's surprising that Windows 11 doesn't enable TLS 1.3 by default, good to know...
And the independent management of TLS versions by browsers doesn't help matters, but I finally understood that this was the problem. So, if I understand correctly, you'll stick with TLS 1.2 as long as it's still validated by ANSSI?

Thank you and have a good evening

Thomas
High
Answer

Return to "WAPT Server"


  • To go further with WAPT