When FlexNet Beacon Server is only using TLS v1.2, policy download fails and the Beacon Engine is no longer able to communicate to the Application Server
When disabling SSL 3.0 and TLS 1.0 , the Beacon Engine is still trying to communicate over the older protocol according to the following line in the BeaconEngine.log file: [psClientSecurityPolicy|Async] [INFO ] Security protocols Ssl3, Tls are in use.
Policy downloads will fail as following:
2018-01-08 11:26:13,003 [Services.PolicyService|policy] [ERROR] Failed to download policy.
Flexera.SaaS.Transport.Core.ComplianceApiFatalException: Download failed for item https://fnmsbatchuat.FlexDemo.com/inventory-beacons/api/policy/?BeaconUID={25E6AD55-0000-48C2-0000-F75DA5FB384C} (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
at System.Net.TlsStream.UnsafeBeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
at System.Net.PooledStream.UnsafeBeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback callback, Object state)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Flexera.SaaS.Transport.Rules.PolicyClient.DownloadPolicy(String currentVersion, String inventorySettingsRevision)
at Flexera.Beacon.Engine.Services.PolicyService.GetPolicyFromServer(Int32 currentRevisionNumber, String inventorySettingsRevision)
at Flexera.Beacon.Engine.Services.PolicyService.UpdatePolicy(IActivityLogger activityLogger)
Microsoft .NET Framework v4.5.x and below are using a weak encryption cipher that is not compatible with TLS v1.1 and 1.2, but we have seen the same behaviour in .NET v4.6.x that comes with Windows Server 2016 as well.
Microsoft has a KB Article in regards to older .NET Framework below:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358
The workaround is to force Microsoft .NET Framework to use a strong cipher by adding the following Registry Key:
Additional changes to the Beacon may be required in order to force TLS 1.1 or 1.2 on your beacon. Please review Transport Layer Security (TLS) 1.1 & 1.2 Configuration for further information.
Additionally, we also have this KB article which goes into further detail about setting up the certificates and other TLS related information.
on Jun 09, 2018 02:09 AM - edited on Jun 30, 2020 03:54 PM by jlynch11