restic-windows-backup icon indicating copy to clipboard operation
restic-windows-backup copied to clipboard

Published 20 hours ago verified publisher icon kmwoley

use tls 1.2

Open si458 opened this issue 4 years ago • 4 comments
trafficstars

set ssl to use tls version 1.2 to allow for deprecated of tls 1.0 https://devblogs.microsoft.com/powershell/powershell-gallery-tls-support/

si458 avatar May 06 '21 15:05 si458

Can you add more details as to why this is needed? (i.e. did the download fail without this change?)

My assumption is that PowerShell will default to the correct TLS version. Why force it to 1.2?

Thanks, Kevin

kmwoley avatar May 07 '21 15:05 kmwoley

For some reason every windows server 2012r2 install we have it fails to download restic because the Powershell defaults to 1.0 and you need to force it to use the latest TLS version

Sent from my iPhone

On 7 May 2021, at 16:05, Kevin Woley @.***> wrote:

 Can you add more details as to why this is needed? (i.e. did the download fail without this change?)

My assumption is that PowerShell will default to the correct TLS version. Why force it to 1.2?

Thanks, Kevin

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

si458 avatar May 07 '21 15:05 si458

Got it. I'd prefer not to update the scripts to hard code a TLS version if it can be avoided.

Doing some digging, it looks like there's some registry values that you can set on WS2012 that would accomplish the same thing: https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem

1.  Modify the script in question to include the following:
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

2.  Add a system-wide registry key (e.g. via group policy) to any machine that needs to make TLS 1.2 connections from a .NET app. This will cause .NET to use the "System Default" TLS versions which adds TLS 1.2 as an available protocol AND it will allow the scripts to use future TLS Versions when the OS supports them. (e.g. TLS 1.3)  

    reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f /reg:64

    reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f /reg:32

Did you try the registry solution?

kmwoley avatar May 08 '21 02:05 kmwoley

hi, forgive my delay, setting the registry items made no differnet and didnt seem to work for some reason? however every single VM i have (Win7, Win8.1, Win10, Server 2012r2, Server 2016, Server 2019) are all perfectly happy using the hardcoded TLS1.2 and it downloads the zip restic file no problems, but without the line it seems to error out

si458 avatar May 23 '21 19:05 si458