Cannot connect to server over TLS 1.2 with MSSCCI-API

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
CaryFCST
Posts: 8
Joined: Wed Aug 12, 2020 1:30 pm
Location: Texas

Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by CaryFCST » Wed Aug 12, 2020 1:38 pm

Good afternoon,

We recently upgraded to Vault Standard 10 and are using Ivercy to connect to the Vault Server from Access 365 using the MSSCCI-API. Unfortunately we are unsuccessful in this and it appears to be because the VaultIDE.dll does not support a connection using TLS 1.2. Our internal security team requires me to configure our web server using TLS 1.2, so this is a show stopper for us.

I've installed both the "Vault GUI Client update for TLS 1.1/1.2" and the "Vault Command Line Client update for TLS 1.1/1.2", but neither of those update VaultIDE.dll. Is there a workaround for this?
Have a great day,
Cary Fleming
CentralSquare Technologies

Tonya
Posts: 914
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by Tonya » Wed Aug 12, 2020 3:10 pm

Hi Cary,

Below is the recommended deployment for TLS 1.1/1.2 :

a) Check and verify .NET Framework 4.5 is installed on each client.
b) Have the latest Vault Standard Client installed.
c) Download the Vault Standard - "Vault GUI Client update for TLS 1.1/1.2". This is a compressed .zip file.
d) You can extract that into a new directory you create under "\Program Files (x86)"

Can you please confirm the above has been completed? If so, please provide us with more information in regards to your issue (any errors you are receiving, etc). We'd also like to see your Vault Server log.

Thanks,

Tonya

CaryFCST
Posts: 8
Joined: Wed Aug 12, 2020 1:30 pm
Location: Texas

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by CaryFCST » Wed Aug 12, 2020 3:55 pm

As I stated in my original post:

I've installed both the "Vault GUI Client update for TLS 1.1/1.2" and the "Vault Command Line Client update for TLS 1.1/1.2", but neither of those update VaultIDE.dll. Is there a workaround for this?

The GUI Client connects just fine, but the MSSCCI-API via VaultIDE.dll does NOT connect. I've attached the Vault log file that I was able to get VaultIDE.dll to create. It seems to indicate that it can't create a secure SSL/TLS channel to the server. That tells me that is contacted the server, but couldn't agree on a protocol. Our server is using TLS 1.2, which VaultIDE.dll doesn't seem to speak.

EDIT: There is nothing it the Vault Server's sgvault.log file for today, because it never got that far in the process. There is also nothing in the IIS log file, for the same reason, no connection could be successfully established.
Attachments
VaultLog.txt
(4.26 KiB) Downloaded 1167 times
Have a great day,
Cary Fleming
CentralSquare Technologies

Tonya
Posts: 914
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by Tonya » Thu Aug 13, 2020 9:00 am

Hello again,

Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported. I will get this logged as a request to be considered in an upcoming release.

Tonya

CaryFCST
Posts: 8
Joined: Wed Aug 12, 2020 1:30 pm
Location: Texas

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by CaryFCST » Thu Aug 13, 2020 9:15 am

TLS 1.0 has been deprecated for more than a year by most companies. This is a showstopper for us, and may require us to move to different SCC software, which I really don't want to do. I'd hate to lose all of our history just because our SCC provider doesn't keep up with the prevailing security requirements of the internet.
Have a great day,
Cary Fleming
CentralSquare Technologies

Tonya
Posts: 914
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by Tonya » Thu Aug 13, 2020 9:25 am

Hello again,

We are currently working on Vault 11 and this option will be considered. Unfortunately, I don't have a release date yet that I can confirm.

Tonya

CaryFCST
Posts: 8
Joined: Wed Aug 12, 2020 1:30 pm
Location: Texas

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by CaryFCST » Thu Aug 13, 2020 9:31 am

TLS 1.0 was deprecated when Vault 10 was released. You've released patches for the GUI and command-line clients, why not the MSSCCI client?
Have a great day,
Cary Fleming
CentralSquare Technologies

Tonya
Posts: 914
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by Tonya » Thu Aug 13, 2020 10:12 am

The MSSCCI client original design and purpose was to work with dev tools like Visual Basic 6, Visual C/C++ Dev Studio, and Visual Studio 2003.NET (it has roots in .NET 2.0). Until recently, we had not heard of others integrating the Classic client with things like MS Access or Ivercy.

We do have plans to update some of these features in Vault 11.

Tonya

PhilS
Posts: 28
Joined: Wed Sep 16, 2015 12:23 pm
Location: Germany
Contact:

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by PhilS » Sat Aug 15, 2020 3:22 am

Hi!

FYI: I am the owner of Ivercy. We highly recommend Sourcegear Vault to our customers. It is slightly disappointing that a security related issue like the deprecation of the old TLS protocols appears to have little priority at Sourcegear.

Another FYI:
To my knowledge Microsoft SQL Server Management Studio (current version!) also depends on the MSSCCI-API to integrate Sourcegear Vault. I'm not aware of a way to use the Vault Enhanced Client with it. Your own Getting started with Vault Visual Studio Clients guide only mentions the classic client for SSMS.

We ourselves plan a server migration in the near future which probably will also make TLS 1.2 mandatory.

Tonya wrote:Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported.
Tonya, please escalate this issue to your development team. The fact that the MSSCCI client is developed in .Net 2.0 on its own is not a valid reason to not support TLS 1.2. Microsoft released patches for .Net 2.0 and 3.5.1 to enabled TLS 1.2 for applications build against those framework versions.
See:
https://support.microsoft.com/en-us/hel ... -framework
https://support.microsoft.com/en-us/hel ... -framework

Best regards,
Philipp

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by jclausius » Mon Aug 17, 2020 9:36 am

Hi Philipp,

As mentioned, we had not been requested for TLS 1.1/1.2 before Cary's post by anyone. And weren't really sure we would as most folks are using the Vault Classic client in "Classic" development scenarios, such as FoxPro, VB6 and C/C++ Developer Studio.

Changing support for a new .NET version is not merely a re-compilation of the Classic Client to a new .NET target. I had mentioned this in a different thread ( viewtopic.php?f=5&t=23496 ). As you probably know, the 1.3 MSSCCI specification (while over a decade old) is a native DLL. In order to use the existing Vault DLLs, this native DLL has to load the .NET runtime into the host process, which is quite different from targeting a different .NET version during compilation.

We do take the elimination of SSL 3/TLS 1.0 as a serious issue, and will be researching methods in order to not only load later versions of various .NET runtimes (thereby adding TLS 1.1/1.2 support), but also find a way to add support for 64-bit applications as well in the next planned release - Vault 11.

We appreciate the support from Ivercy, and thank you for working with SourceGear Vault.
PhilS wrote:
Sat Aug 15, 2020 3:22 am
Hi!

FYI: I am the owner of Ivercy. We highly recommend Sourcegear Vault to our customers. It is slightly disappointing that a security related issue like the deprecation of the old TLS protocols appears to have little priority at Sourcegear.

Another FYI:
To my knowledge Microsoft SQL Server Management Studio (current version!) also depends on the MSSCCI-API to integrate Sourcegear Vault. I'm not aware of a way to use the Vault Enhanced Client with it. Your own Getting started with Vault Visual Studio Clients guide only mentions the classic client for SSMS.

We ourselves plan a server migration in the near future which probably will also make TLS 1.2 mandatory.

Tonya wrote:Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported.
Tonya, please escalate this issue to your development team. The fact that the MSSCCI client is developed in .Net 2.0 on its own is not a valid reason to not support TLS 1.2. Microsoft released patches for .Net 2.0 and 3.5.1 to enabled TLS 1.2 for applications build against those framework versions.
See:
https://support.microsoft.com/en-us/hel ... -framework
https://support.microsoft.com/en-us/hel ... -framework

Best regards,
Philipp
Jeff Clausius
SourceGear

PhilS
Posts: 28
Joined: Wed Sep 16, 2015 12:23 pm
Location: Germany
Contact:

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by PhilS » Thu Sep 03, 2020 9:41 am

Hi Jeff!

Thank you very much for your reply. I highly appreciate that our are planning to modernize the Vault MSSCCI-Provider for Vault 11, particularly for x64 support.

As for the TLS 1.2 issue, it appears you missed the most important part of my post:
PhilS wrote:The fact that the MSSCCI client is developed in .Net 2.0 on its own is not a valid reason to not support TLS 1.2. Microsoft released patches for .Net 2.0 and 3.5.1 to enabled TLS 1.2 for applications build against those framework versions.
I didn't want to stress that more in case my assumptions were incorrect. - That is the reason for this reply being delayed by more than two weeks.

I now reconfigured our Vault server to enforce TLS 1.2 encryption for HTTPS. I can confirm that the .Net Runtime 2.0 does support TLS 1.2 connections with the updates I mentioned in my previous post applied. So, you could recompile the Vault MSSCCI-Provider with minor code changes to support TLS 1.2.

However, even more important, you do not even have to change anything. With the registry settings also mentioned in the Microsoft support articles you can reconfigure existing .Net 2.0 applications to use the default TLS protocol of the Windows installation. This allows users to enable TLS 1.2 support for basically all versions of the Vault MSSCCI-Provider. (We still use Vault 9.1 and it worked perfectly.)

I just published a FAQ text for the Ivercy website describing the problem and the solution: Using Ivercy with the Sourcegear Vault MSSCCI-Provider and TLS 1.2

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by jclausius » Thu Sep 03, 2020 2:58 pm

Hi Phil,

Wow! Great detective work. I apologize I missed that about a .NET 2.0 Service Pack for non-legacy Windows operating systems. In regards to Legacy Windows Systems, if there's some client still running Windows XP or Windows Vista (Release or SP1), they will not be able to connect to IIS Servers configured for TLS 1.1/1.2 only, but as long as it still runs with SSL3/TLS 1.0, that is understood.

I've put a work item request for the build team to check that the .NET 2.0 Framework has been updated on the Build Server, and then try the code changes for all supported protocols (instead of that code which is only used during .NET 4.5 builds). If it compiles, and tests out on both Windows XP running the original .NET 2.0 Framework up to Windows 10 with earliest to latest Frameworks, we'll leave things in place, and may make an interim build available for those that ask. But until that time, users now have a work-around.

Many Thanks for the research, and for sharing with the Support Team / Forum.
Jeff Clausius
SourceGear

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Re: Cannot connect to server over TLS 1.2 with MSSCCI-API

Post by jclausius » Tue Sep 08, 2020 1:39 pm

Just to provide an update.

I made a build with the code changes Microsoft recommended in those 2 articles. While the resulting builds run on Windows 7, they crash within startup on Windows XP. So apparently it is not as simple as just adding in those changes suggested by Microsoft.

I've logged a feature request to merge those changes in with some other code to address the Windows XP issue for Vault 11. We should have a private, non-supported build in the upcoming weeks if anyone is interested.
Jeff Clausius
SourceGear

Post Reply