Tranquil IT Forum

Published: **July 25, 2024 - 2:36 PM**

Good morning,

WAPT Server: Up-to-date Debian 11
Client workstation: Windows 11 23H2
WAPT 2.5.5.15691 Discovery

Following the upgrade of my WAPT server from 2.5.5.15640 to 2.5.5.15691 this morning, I get an error message when I try to update the WAPT agent on the workstations using waptdeploy.exe:

Code: Select all

waptdeploy.exe --waptsetupurl=https://srvwapt.mydomain/wapt/waptagent.exe --hash=942cde31e7b6144a873b0daad14db24abb040042fb6ed27ee84a76d60918aa7b --minversion=2.5.5.15691 --tasks=autorunTray,installService,installredist2008,!autoUpgradePolicy --wait=15
{"waptsetupurl":"https://srvwapt.mydomain/wapt/waptagent.exe","hash":"942cde31e7b6144a873b0daad14db24abb040042fb6ed27ee84a76d60918aa7b","minversion":"2.5.5.15691","tasks":"autorunTray,installService,installredist2008,!autoUpgradePolicy","wait":"15"}
WAPT version: 2.5.5.15640
WAPT required version: 2.5.5.15691
Wapt agent path: C:\Users\toto\AppData\Local\Temp\waptagent.exe
Wget new waptagent from https://srvwapt.mydomain/wapt/waptagent.exe
Trying to reach https://srvwapt.mydomain/wapt/waptagent.exe...
Expecting hash sha256: 942cde31e7b6144a873b0daad14db24abb040042fb6ed27ee84a76d60918aa7b
Using proxy :
Error trying to get https://srvwapt.mydomain/wapt/waptagent.exe : Error downloading https://srvwapt.mydomain/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <srvwapt.mydomain>: ComputeAndSendAnswer returned 80090302 [SEC_E_UNSUPPORTED_FUNCTION], System Error 1 [ERROR_INVALID_FUNCTION]]... sleeping
Delete sheduled task "fullwaptupgrade"
An unhandled exception occurred at $00323D02:
Exception: Error downloading https://srvwapt.mydomain/wapt/waptagent.exe: [ENetSock] THttpClientSocket.DoTlsAfter: TLS failed [ESChannel <srvwapt.mydomain>: ComputeAndSendAnswer returned 80090302 [SEC_E_UNSUPPORTED_FUNCTION], System Error 1 [ERROR_INVALID_FUNCTION]]
  $00323D02
  $00325402

I deleted and regenerated the Nginx SSL certificates under /opt/wapt/waptserver/ssl/ using the postconf.sh script => SAME
I also tried replacing the Wapt server's FQDN with the IP address => SAME RESULT (see viewtopic.php?p=11185&hilit=%5BENetSock ... led#p11185)
I forced the reinstallation of the tis-waptserver and tis-waptsetup packages and restarted the postconf => SAME RESULT
I'm out of ideas, has anyone else encountered this problem please?

Thank you in advance and have a good day

Published: **July 25, 2024 - 3:24 PM**

Well, after consulting the CHANGELOG for version 2.5.5.15691, I saw this:

[IMP] waptserver: on Linux: use TLS1.3 for nginx on linux

So I switched back to TLS 1.2 in /etc/nginx/sites-enabled/wapt.conf:

Code: Select all

ssl_protocols               TLSv1.2;

After restarting the Nginx services, it's working again

Published: **July 25, 2024 - 5:15 PM**

Hi Thomas,

it seems that Windows 11 doesn't enable TLS 1.3 by default (there are registry keys that need to be changed).

WAPTAgent uses OpenSSL for all cryptography, but WAPTDeploy, to be lighter, relies on the Windows schannel implementation to avoid having to include OpenSSL (which would double the size of waptdeploy...). And the default schannel configuration on Windows 11 doesn't have TLS 1.3 enabled (there's a registry key/GPO that needs to be set for this). Note: Edge uses TLS 1.3 because it's based on the Chromium TLS layer and not the Windows one, so this is a bit misleading. Note 2: To further mislead the unsuspecting sysadmin, TLS 1.3 has been enabled on Windows 10 for several years now, even though Microsoft says it isn't, and it's not enabled on Windows 11, even though Microsoft says it is[1]...

We switched to TLS 1.3 for the CSPN certification process, but since TLS 1.2 is still accepted by ANSSI, I think we'll modify the Target of Evaluation to specify TLS 1.2; it will be simpler.

Thank you for bringing this to our attention.

Best regards,

Denis

[1] https://learn.microsoft.com/en-us/windo ... on-support

Published: **July 25, 2024 - 5:31 PM**

dcardon wrote: ↑Jul 25, 2024 - 5:15 PM Hello Thomas,

it seems that Windows 11 doesn't enable TLS 1.3 by default (there are registry keys that need to be changed).

WAPTAgent uses OpenSSL for all cryptography, but WAPTDeploy, to be lighter, relies on the Windows schannel implementation to avoid having to include OpenSSL (which would double the size of waptdeploy...). And the default schannel configuration on a Windows 11 machine doesn't have TLS 1.3 enabled (there's a registry key/GPO that needs to be set for that). Note: Edge uses TLS 1.3 because it's based on the Chromium TLS layer and not the Windows one, so this is a bit misleading. Note 2: To further mislead the unsuspecting sysadmin, TLS 1.3 has been enabled on Windows 10 for several years now, even though Microsoft says it isn't, and it's not enabled on Windows 11, even though Microsoft says it is[1]...

We switched to TLS 1.3 for the CSPN certification process, but since TLS 1.2 is still accepted by ANSSI, I think we'll modify the Target of Evaluation to specify TLS 1.2; it will be simpler.

Thank you for bringing this to our attention.

Best regards,

Denis

[1] https://learn.microsoft.com/en-us/windo ... on-support

Hello Denis,

Thanks for your feedback, you're right, it's not something you could make up, and it's surprising that Windows 11 doesn't enable TLS 1.3 by default, good to know...
And the independent management of TLS versions by browsers doesn't help matters, but I finally understood that this was the problem. So, if I understand correctly, you'll stick with TLS 1.2 as long as it's still validated by ANSSI?

Thank you and have a good evening

Thomas

Tranquil IT Forum

[RESOLVED] WAPT 2.5.5.15691: TLS error with waptdeploy.exe

[RESOLVED] WAPT 2.5.5.15691: TLS error with waptdeploy.exe

Re: WAPT 2.5.5.15691: TLS error with waptdeploy.exe

Re: WAPT 2.5.5.15691: TLS error with waptdeploy.exe

Re: WAPT 2.5.5.15691: TLS error with waptdeploy.exe