Preparing Agents and Probes for communicating over TLS1.2 with Modern Security Profile or Agent/Probe not checking in

Last Modified

Wed 20 Jan 12:52 GMT 2021

Description

• Patch Management introduces a change to the Modern Security Profile, which could cause devices which are not fully patched and/or on Older Operating Systems to fail to check in/report to N-central.
• Symptoms of this issue include:
  • Agent or Probe not checking in after upgrade - Could not create TLS channel
    • Soap.log (C:\Program Files (x86)\N-able Technologies\Windows Agent\log)

      [GetConfig] 2020-03-16 09:18:03,357 <<*>> com.nable.agent.framework.rpc.ServerProxy GetConfig: will retry server.ApplianceGetConfig: Exception caught - The request was aborted: Could not create SSL/TLS secure channel.

  • Agent or Probe not installing - Communication with Server failed
    • NableTrace.log (c:\windows\temp)
      2020-03-24 17:10:01,868 - Version: .1500 - ValidateCustomerNameID Error: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
       
    • 
• Using the Modern Security Profile in Patch Management, Devices with the Agent or Probe installed must have at least one of the following ciphers enabled, and these must be in the preferred Cipher Order on the device:
• |   TLSv1.2:
  |     ciphers:
  |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
  |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
  |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
  |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
   
• 

Environment

• N-able N-central or later

Solution

• Optional: Choose Legacy Setting. If you have already upgraded to or later, you can resolve this immediately by switching back to Legacy Settings. The server will restart, and begin accepting connections using older TLS versions and older ciphers. This is not desirable since it reduces the security of the server. It could be useful as a temporary measure in order to access devices and ensure they are fully patched and configured. This setting is found under Administration > Mail and Network Settings > Network Security > Legacy Settings (see screenshot above).

1. Check Readiness. Check that the Ciphers are enabled and in the preferred order as below. 
   1. Check OS steps. Check the appropriate Operating System section below for preparation steps. The basic steps are to apply Updates, and Reboot.
   2. Check Cipher Script. Once updated, check can check a device's readiness by running the Cipher Check Script. The output will advise you on the status of enabled and preferred ciphers.

• Windows 10 & Server 2016 or later
• Earlier versions of Windows & Windows Server
• Linux
• Mac
• N-central

Windows 10 & Server 2016 or later

• Windows 10 and Windows Server 2016 are configured with compatible ciphers by default. It may be necessary to reorder ciphers, especially if third party software or GPO was used to modify security settings.

1. Run the Cipher Check Script.
2. If there is a problem with Cipher Order, use GPO or gpedit.msc to add ciphers to the order or reset the preferred order.
   • See: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
3. Reboot and retest the N-able N-central Agent.
4. If still unsuccessful, reset or enable the ciphers in the cipher order on the system see the same article as above:https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

• Also See: 
  • https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol
  • https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
  • https://docs.microsoft.com/en-gb/windows/win32/secauthn/prioritizing-schannel-cipher-suites?redirectedfrom=MSDN

Earlier versions of Windows & Windows Server

1. Apply any Windows updates which add GCM cipher capability.
   1. Install the relevant patches below (via N-able N-central if you have switched back to Legacy mode), or apply them manually/via GPO, etc:
      • Windows 7, Server 2008 R2 
        • Install SP1, then ensure any Update Rollup or Cumulative Rollup after June 2016 has been installed, preferably the most recent. 
      • Windows 7 SP1, Server 2008 R2 SP1 
        • Ensure any Update Rollup or Cumulative Rollup after June 2016 has been installed, preferably the most recent.
      • Windows 8
        • Install one or all of:
        • KB2992611 - "Security Update for Windows 8"
        • KB4492872 - "Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems",
        • KB4540671 - "2020-03 Cumulative Security Update for Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems", or
        • KB4541510 - "2020-03 Security Monthly Quality Rollup for Windows <OS_VERSION> for <ARCH>-based Systems"
      • Windows 8 Embedded, Server 2012 
        • Install one or all of:
        • KB4492872 - "Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems",
        • KB4540671 - "2020-03 Cumulative Security Update for Internet Explorer 11 for Windows <OS_VERSION> for <ARCH>-based systems", or
        • KB4541510 - "2020-03 Security Monthly Quality Rollup for Windows <OS_VERSION> for <ARCH>-based Systems"
      • Windows 8.1, Server 2012 R2 
        • Ensure any Update Rollup or Cumulative Rollup after June 2016 has been installed, preferably the most recent.
        • Ensure that KB3174644 (April 2020) is installed, which enables the use of higher security ciphers, specifically, accepting 2048-bit DHE parameters required by the Modern Profile.
        • If there is still any issue, try disabling cipher ordering (see below).
2. Then enable the ciphers using GPO or gpedit (or other method) see: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls. This step should not be necessary, but may be necessary if the preferred cipher order was manually changed or changed by third party software.
3. Switch N-able N-central settings back to Modern and confirm the issue is resolved..

• Also See: 
  • https://docs.microsoft.com/en-gb/windows/win32/secauthn/prioritizing-schannel-cipher-suites?redirectedfrom=MSDN
  • https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

Linux

1. Apply any updates for older Operating Systems to make the compatible ciphers available. 
2. Enable the above ciphers.
3. Reset or enable the ciphers in the cipher order on the system

• Example Command to show ciphers available on a Linux system:
  /usr/bin/openssl ciphers -v
  
  ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
  ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
  ...
  
  KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
  KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
  • See: https://community.tenable.com/s/article/How-to-check-the-SSL-TLS-Cipher-Suites-in-Linux-and-Windows

Mac

• Example command:
  openssl ciphers -v
  • Also see: https://stackoverflow.com/questions/45265363/openssl-is-missing-ciphers-on-os-x

Testing your N-able N-central Server (or another server)

• From linux or on a device with the nmap package installed:
  nmap --script ssl-enum-ciphers -p 443 <server_address_here>
• Alternately, use a third party website, such as: https://www.ssllabs.com/ssltest/