We are getting this error when querying vCenter server
Failed to retrieve contents from web service https://vcenterserver:443/sdk
An error occured in HTTP processing
In fsend call to WinHttpSendRequest: A security error occurred (12175)
One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server: The application experienced an internal error loading the SSL libraries.
Checked https://IPAddress:PortNumber/sdk/vimService.wsdl and https://IPAddress:PortNumber/MOB
Ports are open verified with MgsIPScan.
Appreciate if any other inputs / suggestion
Sep 16, 2019 06:46 AM
Hi Nagaeendra,
Looks as if your vCenter is running on a newer OS that is not supporting TLS 1.0 anymore and your Beacon is running on Windows 7 still?
Windows 7 requires TLS 1.0 or SSL3 to be supported. See the following URLs for documentation and a fix from Microsoft:
https://social.technet.microsoft.com/Forums/en-US/e07aa2b7-abd4-4212-94b9-56cf73a91323/certificate-error-while-opening-excel-file?forum=officeitpro
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
Sep 16, 2019 07:58 AM
Hi,
This is probably to due the security settings on your server.
Can you verify the following setting in the registry?
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]"DefaultSecureProtocols"
If value is dword:00000800, than TLS 1.2 is only enabled. When you change the value to dword:00000200 (TLS 1.1 enabled) than the scan will work probably again after a beacon engine restart.
Can you give this a try?
Sep 16, 2019 08:07 AM
Thanks @ stefangeerars
It's a win 2012 server and don't have this keyword DefaultSecureProtocols under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
It only has Passport Test and Tracing Keys
Sep 16, 2019 10:48 PM
Hi,
Can you verify if you are using the SchUseStrongCrypto?
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\vx.x.xxxx]
"SchUseStrongCrypto"=dword:00000001
and did you set the Windows Schannel to disable for example TLS 1.0 and TLS 1.1?
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\
Stefan
Sep 17, 2019 02:49 AM
Hi @stefange
Yes, verified SchUseStrongCrypto it is set to dword:00000001
No TLS 1.0 and TLS 1.1 are set to enable.
should SSL 2.0 and 3.0 be enabled or disabled.
Thanx
Sep 17, 2019 04:16 AM
Try adding the registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]"DefaultSecureProtocols"
with value: dword:00000200
Stefan
Sep 17, 2019 06:09 AM
Hi @stefange
Checked by adding dword:00000200
Doesn't throw me SSL error now by doesn't do discovery also
But on ESXquery I see
" Decryption operation failed
In fsend call to WinHttpSendRequest : A connection with the server could not be established (12029)
An error occured in HTTP processing
Failed to retrieve contents from web service https://vCenter server:443/sdk
BindingServer(ServerIP, proto=https, port=0) failed. "
Sep 18, 2019 03:51 AM
Question, Is the certificate on the vCenter server still valid?
Sep 17, 2019 09:10 AM
Hi @ mgunnels
Yes, certificate on vCenter is valid. though root certificate authority are different between these 2 server (vCenter & FNMS server)
Sep 17, 2019 09:41 PM