Cannot connect to server over TLS 1.2 with MSSCCI-API
Moderator: SourceGear
Cannot connect to server over TLS 1.2 with MSSCCI-API
Good afternoon,
We recently upgraded to Vault Standard 10 and are using Ivercy to connect to the Vault Server from Access 365 using the MSSCCI-API. Unfortunately we are unsuccessful in this and it appears to be because the VaultIDE.dll does not support a connection using TLS 1.2. Our internal security team requires me to configure our web server using TLS 1.2, so this is a show stopper for us.
I've installed both the "Vault GUI Client update for TLS 1.1/1.2" and the "Vault Command Line Client update for TLS 1.1/1.2", but neither of those update VaultIDE.dll. Is there a workaround for this?
We recently upgraded to Vault Standard 10 and are using Ivercy to connect to the Vault Server from Access 365 using the MSSCCI-API. Unfortunately we are unsuccessful in this and it appears to be because the VaultIDE.dll does not support a connection using TLS 1.2. Our internal security team requires me to configure our web server using TLS 1.2, so this is a show stopper for us.
I've installed both the "Vault GUI Client update for TLS 1.1/1.2" and the "Vault Command Line Client update for TLS 1.1/1.2", but neither of those update VaultIDE.dll. Is there a workaround for this?
Have a great day,
Cary Fleming
CentralSquare Technologies
Cary Fleming
CentralSquare Technologies
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hi Cary,
Below is the recommended deployment for TLS 1.1/1.2 :
a) Check and verify .NET Framework 4.5 is installed on each client.
b) Have the latest Vault Standard Client installed.
c) Download the Vault Standard - "Vault GUI Client update for TLS 1.1/1.2". This is a compressed .zip file.
d) You can extract that into a new directory you create under "\Program Files (x86)"
Can you please confirm the above has been completed? If so, please provide us with more information in regards to your issue (any errors you are receiving, etc). We'd also like to see your Vault Server log.
Thanks,
Tonya
Below is the recommended deployment for TLS 1.1/1.2 :
a) Check and verify .NET Framework 4.5 is installed on each client.
b) Have the latest Vault Standard Client installed.
c) Download the Vault Standard - "Vault GUI Client update for TLS 1.1/1.2". This is a compressed .zip file.
d) You can extract that into a new directory you create under "\Program Files (x86)"
Can you please confirm the above has been completed? If so, please provide us with more information in regards to your issue (any errors you are receiving, etc). We'd also like to see your Vault Server log.
Thanks,
Tonya
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
As I stated in my original post:
I've installed both the "Vault GUI Client update for TLS 1.1/1.2" and the "Vault Command Line Client update for TLS 1.1/1.2", but neither of those update VaultIDE.dll. Is there a workaround for this?
The GUI Client connects just fine, but the MSSCCI-API via VaultIDE.dll does NOT connect. I've attached the Vault log file that I was able to get VaultIDE.dll to create. It seems to indicate that it can't create a secure SSL/TLS channel to the server. That tells me that is contacted the server, but couldn't agree on a protocol. Our server is using TLS 1.2, which VaultIDE.dll doesn't seem to speak.
EDIT: There is nothing it the Vault Server's sgvault.log file for today, because it never got that far in the process. There is also nothing in the IIS log file, for the same reason, no connection could be successfully established.
I've installed both the "Vault GUI Client update for TLS 1.1/1.2" and the "Vault Command Line Client update for TLS 1.1/1.2", but neither of those update VaultIDE.dll. Is there a workaround for this?
The GUI Client connects just fine, but the MSSCCI-API via VaultIDE.dll does NOT connect. I've attached the Vault log file that I was able to get VaultIDE.dll to create. It seems to indicate that it can't create a secure SSL/TLS channel to the server. That tells me that is contacted the server, but couldn't agree on a protocol. Our server is using TLS 1.2, which VaultIDE.dll doesn't seem to speak.
EDIT: There is nothing it the Vault Server's sgvault.log file for today, because it never got that far in the process. There is also nothing in the IIS log file, for the same reason, no connection could be successfully established.
- Attachments
-
- VaultLog.txt
- (4.26 KiB) Downloaded 1166 times
Have a great day,
Cary Fleming
CentralSquare Technologies
Cary Fleming
CentralSquare Technologies
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hello again,
Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported. I will get this logged as a request to be considered in an upcoming release.
Tonya
Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported. I will get this logged as a request to be considered in an upcoming release.
Tonya
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
TLS 1.0 has been deprecated for more than a year by most companies. This is a showstopper for us, and may require us to move to different SCC software, which I really don't want to do. I'd hate to lose all of our history just because our SCC provider doesn't keep up with the prevailing security requirements of the internet.
Have a great day,
Cary Fleming
CentralSquare Technologies
Cary Fleming
CentralSquare Technologies
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hello again,
We are currently working on Vault 11 and this option will be considered. Unfortunately, I don't have a release date yet that I can confirm.
Tonya
We are currently working on Vault 11 and this option will be considered. Unfortunately, I don't have a release date yet that I can confirm.
Tonya
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
TLS 1.0 was deprecated when Vault 10 was released. You've released patches for the GUI and command-line clients, why not the MSSCCI client?
Have a great day,
Cary Fleming
CentralSquare Technologies
Cary Fleming
CentralSquare Technologies
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
The MSSCCI client original design and purpose was to work with dev tools like Visual Basic 6, Visual C/C++ Dev Studio, and Visual Studio 2003.NET (it has roots in .NET 2.0). Until recently, we had not heard of others integrating the Classic client with things like MS Access or Ivercy.
We do have plans to update some of these features in Vault 11.
Tonya
We do have plans to update some of these features in Vault 11.
Tonya
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hi!
FYI: I am the owner of Ivercy. We highly recommend Sourcegear Vault to our customers. It is slightly disappointing that a security related issue like the deprecation of the old TLS protocols appears to have little priority at Sourcegear.
Another FYI:
To my knowledge Microsoft SQL Server Management Studio (current version!) also depends on the MSSCCI-API to integrate Sourcegear Vault. I'm not aware of a way to use the Vault Enhanced Client with it. Your own Getting started with Vault Visual Studio Clients guide only mentions the classic client for SSMS.
We ourselves plan a server migration in the near future which probably will also make TLS 1.2 mandatory.
See:
https://support.microsoft.com/en-us/hel ... -framework
https://support.microsoft.com/en-us/hel ... -framework
Best regards,
Philipp
FYI: I am the owner of Ivercy. We highly recommend Sourcegear Vault to our customers. It is slightly disappointing that a security related issue like the deprecation of the old TLS protocols appears to have little priority at Sourcegear.
Another FYI:
To my knowledge Microsoft SQL Server Management Studio (current version!) also depends on the MSSCCI-API to integrate Sourcegear Vault. I'm not aware of a way to use the Vault Enhanced Client with it. Your own Getting started with Vault Visual Studio Clients guide only mentions the classic client for SSMS.
We ourselves plan a server migration in the near future which probably will also make TLS 1.2 mandatory.
Tonya, please escalate this issue to your development team. The fact that the MSSCCI client is developed in .Net 2.0 on its own is not a valid reason to not support TLS 1.2. Microsoft released patches for .Net 2.0 and 3.5.1 to enabled TLS 1.2 for applications build against those framework versions.Tonya wrote:Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported.
See:
https://support.microsoft.com/en-us/hel ... -framework
https://support.microsoft.com/en-us/hel ... -framework
Best regards,
Philipp
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hi Philipp,
As mentioned, we had not been requested for TLS 1.1/1.2 before Cary's post by anyone. And weren't really sure we would as most folks are using the Vault Classic client in "Classic" development scenarios, such as FoxPro, VB6 and C/C++ Developer Studio.
Changing support for a new .NET version is not merely a re-compilation of the Classic Client to a new .NET target. I had mentioned this in a different thread ( viewtopic.php?f=5&t=23496 ). As you probably know, the 1.3 MSSCCI specification (while over a decade old) is a native DLL. In order to use the existing Vault DLLs, this native DLL has to load the .NET runtime into the host process, which is quite different from targeting a different .NET version during compilation.
We do take the elimination of SSL 3/TLS 1.0 as a serious issue, and will be researching methods in order to not only load later versions of various .NET runtimes (thereby adding TLS 1.1/1.2 support), but also find a way to add support for 64-bit applications as well in the next planned release - Vault 11.
We appreciate the support from Ivercy, and thank you for working with SourceGear Vault.
As mentioned, we had not been requested for TLS 1.1/1.2 before Cary's post by anyone. And weren't really sure we would as most folks are using the Vault Classic client in "Classic" development scenarios, such as FoxPro, VB6 and C/C++ Developer Studio.
Changing support for a new .NET version is not merely a re-compilation of the Classic Client to a new .NET target. I had mentioned this in a different thread ( viewtopic.php?f=5&t=23496 ). As you probably know, the 1.3 MSSCCI specification (while over a decade old) is a native DLL. In order to use the existing Vault DLLs, this native DLL has to load the .NET runtime into the host process, which is quite different from targeting a different .NET version during compilation.
We do take the elimination of SSL 3/TLS 1.0 as a serious issue, and will be researching methods in order to not only load later versions of various .NET runtimes (thereby adding TLS 1.1/1.2 support), but also find a way to add support for 64-bit applications as well in the next planned release - Vault 11.
We appreciate the support from Ivercy, and thank you for working with SourceGear Vault.
PhilS wrote: ↑Sat Aug 15, 2020 3:22 amHi!
FYI: I am the owner of Ivercy. We highly recommend Sourcegear Vault to our customers. It is slightly disappointing that a security related issue like the deprecation of the old TLS protocols appears to have little priority at Sourcegear.
Another FYI:
To my knowledge Microsoft SQL Server Management Studio (current version!) also depends on the MSSCCI-API to integrate Sourcegear Vault. I'm not aware of a way to use the Vault Enhanced Client with it. Your own Getting started with Vault Visual Studio Clients guide only mentions the classic client for SSMS.
We ourselves plan a server migration in the near future which probably will also make TLS 1.2 mandatory.
Tonya, please escalate this issue to your development team. The fact that the MSSCCI client is developed in .Net 2.0 on its own is not a valid reason to not support TLS 1.2. Microsoft released patches for .Net 2.0 and 3.5.1 to enabled TLS 1.2 for applications build against those framework versions.Tonya wrote:Unfortunately, the MSSCCI client is designed for .NET 2.0 will only run TLS 1.0. TLS 1.2 is not yet supported.
See:
https://support.microsoft.com/en-us/hel ... -framework
https://support.microsoft.com/en-us/hel ... -framework
Best regards,
Philipp
Jeff Clausius
SourceGear
SourceGear
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hi Jeff!
Thank you very much for your reply. I highly appreciate that our are planning to modernize the Vault MSSCCI-Provider for Vault 11, particularly for x64 support.
As for the TLS 1.2 issue, it appears you missed the most important part of my post:
I now reconfigured our Vault server to enforce TLS 1.2 encryption for HTTPS. I can confirm that the .Net Runtime 2.0 does support TLS 1.2 connections with the updates I mentioned in my previous post applied. So, you could recompile the Vault MSSCCI-Provider with minor code changes to support TLS 1.2.
However, even more important, you do not even have to change anything. With the registry settings also mentioned in the Microsoft support articles you can reconfigure existing .Net 2.0 applications to use the default TLS protocol of the Windows installation. This allows users to enable TLS 1.2 support for basically all versions of the Vault MSSCCI-Provider. (We still use Vault 9.1 and it worked perfectly.)
I just published a FAQ text for the Ivercy website describing the problem and the solution: Using Ivercy with the Sourcegear Vault MSSCCI-Provider and TLS 1.2
Thank you very much for your reply. I highly appreciate that our are planning to modernize the Vault MSSCCI-Provider for Vault 11, particularly for x64 support.
As for the TLS 1.2 issue, it appears you missed the most important part of my post:
I didn't want to stress that more in case my assumptions were incorrect. - That is the reason for this reply being delayed by more than two weeks.PhilS wrote:The fact that the MSSCCI client is developed in .Net 2.0 on its own is not a valid reason to not support TLS 1.2. Microsoft released patches for .Net 2.0 and 3.5.1 to enabled TLS 1.2 for applications build against those framework versions.
I now reconfigured our Vault server to enforce TLS 1.2 encryption for HTTPS. I can confirm that the .Net Runtime 2.0 does support TLS 1.2 connections with the updates I mentioned in my previous post applied. So, you could recompile the Vault MSSCCI-Provider with minor code changes to support TLS 1.2.
However, even more important, you do not even have to change anything. With the registry settings also mentioned in the Microsoft support articles you can reconfigure existing .Net 2.0 applications to use the default TLS protocol of the Windows installation. This allows users to enable TLS 1.2 support for basically all versions of the Vault MSSCCI-Provider. (We still use Vault 9.1 and it worked perfectly.)
I just published a FAQ text for the Ivercy website describing the problem and the solution: Using Ivercy with the Sourcegear Vault MSSCCI-Provider and TLS 1.2
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Hi Phil,
Wow! Great detective work. I apologize I missed that about a .NET 2.0 Service Pack for non-legacy Windows operating systems. In regards to Legacy Windows Systems, if there's some client still running Windows XP or Windows Vista (Release or SP1), they will not be able to connect to IIS Servers configured for TLS 1.1/1.2 only, but as long as it still runs with SSL3/TLS 1.0, that is understood.
I've put a work item request for the build team to check that the .NET 2.0 Framework has been updated on the Build Server, and then try the code changes for all supported protocols (instead of that code which is only used during .NET 4.5 builds). If it compiles, and tests out on both Windows XP running the original .NET 2.0 Framework up to Windows 10 with earliest to latest Frameworks, we'll leave things in place, and may make an interim build available for those that ask. But until that time, users now have a work-around.
Many Thanks for the research, and for sharing with the Support Team / Forum.
Wow! Great detective work. I apologize I missed that about a .NET 2.0 Service Pack for non-legacy Windows operating systems. In regards to Legacy Windows Systems, if there's some client still running Windows XP or Windows Vista (Release or SP1), they will not be able to connect to IIS Servers configured for TLS 1.1/1.2 only, but as long as it still runs with SSL3/TLS 1.0, that is understood.
I've put a work item request for the build team to check that the .NET 2.0 Framework has been updated on the Build Server, and then try the code changes for all supported protocols (instead of that code which is only used during .NET 4.5 builds). If it compiles, and tests out on both Windows XP running the original .NET 2.0 Framework up to Windows 10 with earliest to latest Frameworks, we'll leave things in place, and may make an interim build available for those that ask. But until that time, users now have a work-around.
Many Thanks for the research, and for sharing with the Support Team / Forum.
Jeff Clausius
SourceGear
SourceGear
Re: Cannot connect to server over TLS 1.2 with MSSCCI-API
Just to provide an update.
I made a build with the code changes Microsoft recommended in those 2 articles. While the resulting builds run on Windows 7, they crash within startup on Windows XP. So apparently it is not as simple as just adding in those changes suggested by Microsoft.
I've logged a feature request to merge those changes in with some other code to address the Windows XP issue for Vault 11. We should have a private, non-supported build in the upcoming weeks if anyone is interested.
I made a build with the code changes Microsoft recommended in those 2 articles. While the resulting builds run on Windows 7, they crash within startup on Windows XP. So apparently it is not as simple as just adding in those changes suggested by Microsoft.
I've logged a feature request to merge those changes in with some other code to address the Windows XP issue for Vault 11. We should have a private, non-supported build in the upcoming weeks if anyone is interested.
Jeff Clausius
SourceGear
SourceGear