The request was aborted: Could not create SSL/TLS secure channel after running hardening script

[Wolvverine]

Checklist

• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my problem.
• I have verified this is not an issue for a specific package.
• I have verified this issue is not security related.

What You Are Seeing?

After last upgrade chocolatey:
Unable to load the service index for source https://chocolatey.org/api/v2/.

Get-TlsCipherSuite | Format-Table Name

Name

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

TLS 1.2 and 1.3 are set on system.

What is Expected?

upgrade/install packages

How Did You Get This To Happen?

choco upgrade all -y
choco upgrade all -y -debug -trace

System Details

• Operating System: 10.0.19045.0
• Windows PowerShell version:

$PSVersionTable

Name Value

---

PSVersion 7.3.4
PSEdition Core
GitCommitId 7.3.4
OS Microsoft Windows 10.0.19045
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

• Chocolatey CLI Version:

choco --version

2.0.0

• Chocolatey Licensed Extension version:

choco list chocolatey.extension --exact

Chocolatey v2.0.0
0 packages installed.

• Terminal/Emulator:
  cmd,cmder

Installed Packages

# choco list
Chocolatey v2.0.0
3dslicer 5.2.2.31382
7zip 22.1.0
7zip.commandline 16.2.0.20170209
7zip.install 22.1.0
7zip.portable 22.1.0
adobeair 50.2.1.1
AdoptOpenJDK 16.0.1.901
AdoptOpenJDKjre 16.0.1.901
alldup 4.4.56
android-log-viewer 1.2.2
android-sdk 26.1.1
audacity 3.3.3
audio-router 0.10.2
authy-desktop 2.3.0
autodesk-fusion360 2.0.16486
autohotkey 1.1.36.2
autohotkey.install 1.1.36.2
autohotkey.portable 2.0.2
avidemux 2.8.1
bca-docker 0.3.0
brl-cad 7.32.2
burnawarefree 15.8.0
ccleaner 6.13.10517
charles4 4.6.4
choco-cleaner 1.1.0
chocolatey 2.0.0
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-fastanswers.extension 0.0.2.2
chocolatey-uninstall.extension 1.2.0
chocolatey-visualstudio.extension 1.11.0
chocolatey-vscode 0.7.2
chocolatey-vscode.extension 1.1.0
chocolatey-windowsupdate.extension 1.0.5
choco-package-list-backup 2023.6.2
clamwin 0.103.2.1
clink 0.4.9
cmake 3.26.4
cmake.install 3.26.4
Cmder 1.3.20
cmder.portable 1.1.4.102
ConEmu 22.12.18
cryptsync 1.4.4
cura 19.4.1
cura-new 5.3.0
dependency-windows10 99.99.99.99
desktopok 10.88.0
dip 4.2.3
disable-nvidia-telemetry 1.1.0.20190306
disableuac 0.0.3
discord 1.0.9005
discord.install 1.0.9005
docker-desktop 4.19.0
DotNet3.5 3.5.20160716
DotNet4.0 4.0.30319.20141222
DotNet4.5 4.5.20120822
DotNet4.5.1 4.5.1.20140606
DotNet4.5.2 4.5.2.20140902
DotNet4.6.1 4.6.1055.20170308
dotnet4.7 4.7.2053.20190226
dotnet-6.0-desktopruntime 6.0.18
dotnetfx 4.8.0.20220524
doublecmd 1.0.11
dropbox 176.4.5108
dupeguru 4.3.1
eagle 9.6.2
easy7zip 0.1.6
etcher 1.18.4
evernote 10.58.5
ext2fsd 0.69.0.20171118
ext2ifs 1.12.0
fiddler 5.0.20211.51073
finddupe 1.23.0.20170921
Firefox 114.0.1
forticlientvpn 7.0.1.83
foxitreader 12.1.2.15332
freecad 0.20.2.1
fsviewer 7.7.0
Ghostscript 10.0.0.20230317
Ghostscript.app 10.0.0.20230317
gimp 2.10.34
git 2.41.0
git.install 2.41.0
git-credential-manager-for-windows 1.20.0
git-credential-winstore 2.0.0.20151206
gitextensions 4.1.0
github-desktop 3.2.3
gns3 2.2.39
gnucash 5.1.0
google-backup-and-sync 99.99.99.99
GoogleChrome 114.0.5735.134
google-hangouts-chrome 2017.110.418.20
gpg4win 4.1.0
gpg4win-vanilla 2.3.4.20191021
grep 3.7.0
grepwin 2.0.15
gsmartcontrol 1.1.4
heidisql 12.5.0.6677
hostsman 4.7.105.20180405
ideamaker 4.3.2.6470
insomnia-rest-api-client 2023.2.2
javaruntime 8.0.231
jdk8 8.0.211
jivkok.SublimeText3.Packages 1.0.0.12
jre8 8.0.371
jubler 7.0.0
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3033929 1.0.5
KB3035131 1.0.3
KB3063858 1.0.0
KB3118401 1.0.5
kdenlive 23.4.1
kdiff3 0.9.98.20220330
keepass 2.53.1
keepass.install 2.54.0
keepass-keeagent 0.8.1.20180426
keepass-plugin-1p2kp 0.2.1
keepass-plugin-autotypecustomfieldpicker 1.0.0
keepass-plugin-certkeyprovider 1.0.0
keepass-plugin-databasebackup 2.0.8.6
keepass-plugin-enhancedentryview 2.5.0
keepass-plugin-favicon 1.9.0
keepass-plugin-fieldsadminconsole 0.2.0
keepass-plugin-keeagent 0.13.5
keepass-plugin-keeanywhere 2.0.3
keepass-plugin-keeautoexec 2.6.0
keepass-plugin-keepassnatmsg 2.0.16
keepass-plugin-otpkeyprov 2.6.0
keepass-plugin-passwordcounter 0.1.0
keepass-plugin-qualitycolumn 1.2.0
keepass-plugin-qualityhighlighter 1.3.0.1
keepass-plugin-quickunlock 2.4.0
keepass-plugin-trayrecent 0.0.2
keepass-plugin-traytotp 2.0.0.5
keepassxc 2.7.5
kptransfer 3.0.0
lenovo-thinkvantage-system-update 5.8.1.9
libreoffice 5.4.4.20180111
librewolf 113.0.1.1
lycheeslicer 3.6.6
markdownpad.portable 2.5.0.27920
md5sums 1.2.0
media-preview 1.4.3
meshmixer 3.5.0.20230317
microsoft-teams 1.6.0.12455
mp3tag 3.21.0
mpc-hc 1.7.13.20180702
msys2 20230526.0.0
netfx-4.7.2 4.7.2
netscan 6.2.1.20161101
netscan64 5.4.9.20160330
nmap 7.93.0
nodejs.install 20.3.0
noscript 2.9.0.2
notepadplusplus 8.5.3
notepadplusplus.commandline 8.5.3
notepadplusplus.install 8.5.3
obs-studio 29.1.2
obs-studio.install 29.1.2
openssh 8.0.0.1
Opera 99.0.4788.65
patchcleaner 1.4.2
pdf-ifilter-64 11.0.1.20180614
poedit 2.4.2
PowerShell 5.1.14409.20180811
powershell-core 7.3.4
powershell-preview 7.2.4.20210411
processhacker 2.39.0
procmon 3.94.0
prusaslicer 2.5.0
puretext 6.2.0
putty 0.78.0
putty.portable 0.78.0
python 3.11.4
python3 3.11.4
python311 3.11.4
Quicktime 7.7.9.20161124
rdcman 2.92.1430
ruby 3.1.3.1
ruby.install 3.1.3.1
rufus 4.1.0
shadowcopyview 1.15.0
shadowexplorer 0.9.462
signal 6.20.2
Silverlight 5.1.50918
skydrive 16.4.20140630
skype 8.98.0.407
slic3r 1.3.0
slic3r-prusa 2.0.0.20201112
smartmontools 7.3.0
smplayer 22.7.0
speedtest 1.1.1.1
spybot 2.9.85.5
sublimetext3 3.2.2
SublimeText3.app 3.0.0.3065
SublimeText3.PackageControl 2.0.0.20140915
SublimeText3.PowershellAlias 0.1.0
superputty 1.5.0
superputty.install 1.5.0
superslicer 2.4.58.5
sweet-home-3d 7.1.0
teamviewer 15.42.8
telegram 4.8.3
telegram.install 4.8.3
Temurin 20.0.1.900
Temurinjre 20.0.1.900
thunderbird 102.12.0
tightvnc 2.8.81
tortoisegit 2.14.0.1
travis 1.11.1
urbackup-client 2.5.24
vagrant 2.3.6
vagrant-manager 1.0.0.6
vagrant-winrm-config 0.0.1
vcredist140 14.36.32532
vcredist2008 9.0.30729.616104
vcredist2010 10.0.40219.32503
vcredist2013 12.0.40660.20180427
vcredist2015 14.0.24215.20170201
vcredist2017 14.16.27033
veracrypt 1.25.9
vim 9.0.1632
virtualclonedrive 5.5.2
virtualdub2 0.0.44282
virt-viewer 11.0.256.1
vlc 3.0.18
vlc.install 3.0.18
vmware-powercli-psmodule 13.1.0.21624340
vmwarevsphereclient 6.0.0.9103891
vscode 1.79.1
vscode.install 1.79.1
vscode-csharpextensions 1.0.0.20180620
vscode-docker 1.0.0.20190907
vscode-editorconfig 1.0.0.20181011
vscode-gitattributes 0.4.1.20190310
vscode-gitignore 0.9.0
vscode-jscslinting 1.0.0.20181011
vscode-markdownlint 1.0.0.20181011
vscode-mssql 1.18.0
vscode-python 2022.19.13071014
WhatsApp 2.2325.3
windirstat 1.1.2.20161210
winfsp 2.0.23075
winmerge 2.16.30
winmtr-redux 1.0.0
WinPcap 4.1.3.20161116
winscp 6.1.0
winscp.install 6.1.0
wireshark 4.0.6
wixtoolset 3.11.2
wsl 1.0.1
wsl2 2.0.0.20210721
wsl-ubuntu-2004 20.4.0.20220127
XAMPP-74 7.4.29
XAMPP-80 8.0.19
XnView 2.51.2
yed 3.23.1
youtube-dl-gui 0.4.0
youtube-dl-gui.install 0.4.0
youtube-downloader 1.3.1
263 packages installed.

Output Log

Resolving resource ListResource for source https://chocolatey.org/api/v2/
System.Net Information: 0 : [25744] Associating HttpWebRequest#18270305 with ServicePoint#30215023
System.Net Information: 0 : [21904] Associating Connection#32493824 with HttpWebRequest#18270305
System.Net.Sockets Information: 0 : [15008] Socket#7039245 - Created connection from 192.168.1.107:42958 to 104.20.74.28:443.
System.Net Information: 0 : [15008] Connection#32493824 - Created connection from 192.168.1.107:42958 to 104.20.74.28:443.
System.Net Information: 0 : [15008] TlsStream#28620912::.ctor(host=chocolatey.org, #certs=0, checkCertificateRevocationList=False, sslProtocols=None)
System.Net Information: 0 : [15008] Associating HttpWebRequest#18270305 with ConnectStream#4966004
System.Net Information: 0 : [15008] HttpWebRequest#18270305 - Request: GET /api/v2/ HTTP/1.1

System.Net Information: 0 : [15008] ConnectStream#4966004 - Sending headers
{
X-NuGet-Session-Id: 0fdcfe58-b00f-461e-ac23-6c3959304c3d
user-agent: Chocolatey Command Line/2.0.0 via NuGet Client/6.4.1 (Microsoft Windows NT 10.0.19045.0)
X-NuGet-Client-Version: 6.4.1
Accept-Language: en-US
Host: chocolatey.org
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
}.
System.Net Information: 0 : [15008] SecureChannel#29660425::.ctor(hostname=chocolatey.org, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [15008] Enumerating security packages:
System.Net Information: 0 : [15008]     Negotiate
System.Net Information: 0 : [15008]     NegoExtender
System.Net Information: 0 : [15008]     Kerberos
System.Net Information: 0 : [15008]     NTLM
System.Net Information: 0 : [15008]     TSSSP
System.Net Information: 0 : [15008]     pku2u
System.Net Information: 0 : [15008]     CloudAP
System.Net Information: 0 : [15008]     WDigest
System.Net Information: 0 : [15008]     Schannel
System.Net Information: 0 : [15008]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [15008]     Default TLS SSP
System.Net Information: 0 : [15008]     CREDSSP
System.Net Information: 0 : [15008] SecureChannel#29660425 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [15008] SecureChannel#29660425::.AcquireClientCredentials, new SecureCredential() (flags=(ValidateManual, NoDefaultCred, SendAuxRecord, UseStrongCrypto), m_ProtocolFlags=(Zero), m_EncryptionPolicy=RequireEncryption)
System.Net Information: 0 : [15008] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential2)
System.Net Information: 0 : [15008] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = chocolatey.org, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [15008] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=223, returned code=ContinueNeeded).
System.Net Information: 0 : [26012] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 195a7e3ee80:210ef987570, targetName = chocolatey.org, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [26012] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [26012] Exception in HttpWebRequest#18270305:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [26012] Exception in HttpWebRequest#18270305::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Information: 0 : [23020] Associating HttpWebRequest#15792590 with ServicePoint#30215023
System.Net Information: 0 : [21904] Associating Connection#53862262 with HttpWebRequest#15792590
System.Net.Sockets Information: 0 : [26012] Socket#4379270 - Created connection from 192.168.1.107:42959 to 104.20.74.28:443.
System.Net Information: 0 : [26012] Connection#53862262 - Created connection from 192.168.1.107:42959 to 104.20.74.28:443.
System.Net Information: 0 : [26012] TlsStream#11611713::.ctor(host=chocolatey.org, #certs=0, checkCertificateRevocationList=False, sslProtocols=None)
System.Net Information: 0 : [26012] Associating HttpWebRequest#15792590 with ConnectStream#63181400
System.Net Information: 0 : [26012] HttpWebRequest#15792590 - Request: GET /api/v2/ HTTP/1.1

System.Net Information: 0 : [26012] ConnectStream#63181400 - Sending headers
{
X-NuGet-Session-Id: 0fdcfe58-b00f-461e-ac23-6c3959304c3d
user-agent: Chocolatey Command Line/2.0.0 via NuGet Client/6.4.1 (Microsoft Windows NT 10.0.19045.0)
X-NuGet-Client-Version: 6.4.1
Accept-Language: en-US
Host: chocolatey.org
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
}.
System.Net Information: 0 : [26012] SecureChannel#341979::.ctor(hostname=chocolatey.org, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [26012] SecureChannel#341979 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [26012] Using the cached credential handle.
System.Net Information: 0 : [26012] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = chocolatey.org, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [26012] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=223, returned code=ContinueNeeded).
System.Net Information: 0 : [20732] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 195a7e3ee80:210ef987330, targetName = chocolatey.org, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [20732] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [20732] Exception in HttpWebRequest#15792590:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [20732] Exception in HttpWebRequest#15792590::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Information: 0 : [23020] Associating HttpWebRequest#61122626 with ServicePoint#30215023
System.Net Information: 0 : [18876] Associating Connection#57365028 with HttpWebRequest#61122626
System.Net.Sockets Information: 0 : [20732] Socket#20447620 - Created connection from 192.168.1.107:42961 to 104.20.74.28:443.
System.Net Information: 0 : [20732] Connection#57365028 - Created connection from 192.168.1.107:42961 to 104.20.74.28:443.
System.Net Information: 0 : [20732] TlsStream#48339626::.ctor(host=chocolatey.org, #certs=0, checkCertificateRevocationList=False, sslProtocols=None)
System.Net Information: 0 : [20732] Associating HttpWebRequest#61122626 with ConnectStream#19831459
System.Net Information: 0 : [20732] HttpWebRequest#61122626 - Request: GET /api/v2/ HTTP/1.1

System.Net Information: 0 : [20732] ConnectStream#19831459 - Sending headers
{
X-NuGet-Session-Id: 0fdcfe58-b00f-461e-ac23-6c3959304c3d
user-agent: Chocolatey Command Line/2.0.0 via NuGet Client/6.4.1 (Microsoft Windows NT 10.0.19045.0)
X-NuGet-Client-Version: 6.4.1
Accept-Language: en-US
Host: chocolatey.org
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
}.
System.Net Information: 0 : [20732] SecureChannel#32217408::.ctor(hostname=chocolatey.org, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [20732] SecureChannel#32217408 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [20732] Using the cached credential handle.
System.Net Information: 0 : [20732] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = chocolatey.org, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [20732] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=223, returned code=ContinueNeeded).
System.Net Information: 0 : [26012] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 195a7e3ee80:210f02c05d0, targetName = chocolatey.org, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [26012] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [26012] Exception in HttpWebRequest#61122626:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [26012] Exception in HttpWebRequest#61122626::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel..
Unable to load the service index for source https://chocolatey.org/api/v2/.

Additional Context

No response

[gep13]

@Wolvverine just to confirm... do you have any sort of proxy in play within your environment?

I am not aware of any reported problems in this area.

Could you additionally confirm what the output from the following command is on your system:

choco source list

[Wolvverine]

choco source list

Chocolatey v2.0.0
chocolatey - https://chocolatey.org/api/v2/ | Priority 0|Bypass Proxy - False|Self-Service - False|Admin Only - False.

Do you have any sort of proxy in play within your environment?
No.

choco config
Chocolatey v2.0.0
cacheLocation = c:\Windows\Temp | Cache location if not TEMP folder. Replaces $env:TEMP value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup.
commandExecutionTimeoutSeconds = 2700 | Default timeout for command execution. '0' for infinite (starting in 0.10.4).
containsLegacyPackageInstalls = true | Install has packages installed prior to 0.9.9 series.
defaultPushSource = | Default source to push packages to when running 'choco push' command.
defaultTemplateName = | Default template name used when running 'choco new' command.
proxy = | Explicit proxy location.
proxyBypassList = | Optional proxy bypass list. Comma separated.
proxyBypassOnLocal = true | Bypass proxy for local connections.
proxyPassword = | Optional proxy password. Encrypted.
proxyUser = | Optional proxy user.
upgradeAllExceptions = | A comma-separated list of package names that should not be upgraded when running `choco upgrade all'. Defaults to empty.
webRequestTimeoutSeconds = 30 | Default timeout for web requests.

[gep13]

@Wolvverine this shouldn't make any difference, but what happens if you attempt to use https://community.chocolatey.org/api/v2/, rather than https://chocolatey.org/api/v2/?

[Wolvverine]

The same.

[gep13]

@Wolvverine are you familiar with how to use Fiddler? https://www.telerik.com/fiddler. It would be very useful to see the outgoing requests and responses when this happens, in order to try to track down exactly what is going on.

Is this something you would be able to help provide?

[Wolvverine]

It seems that chocolatey servers do not support strong cipher sets for TLS/SSL.

The Windows 10/11 hardened system uses:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Chocolatey servers use:
RSASSA-PSS with SHA-256
RSASSA-PSS with SHA-384
RSASSA-PSS with SHA-512
RSASSA-PKCS1-v1_5 with SHA-256
RSASSA-PKCS1-v1_5 with SHA-384
RSASSA-PKCS1-v1_5 with SHA-1
ECDSA with SHA-256
ECDSA with SHA-384
ECDSA with SHA-1
DSA with SHA-1
RSASSA-PKCS1-v1_5 with SHA-512
ECDSA with SHA-512

https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903

https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

[gep13]

@Wolvverine where is that screenshot taken from? Also, can you confirm the same against community.chocolatey.org?

[Wolvverine]

Charles (Fiddler simmilar app)

[gep13]

@Wolvverine thank you for confirming!

In an earlier comment, you mentioned:

The Windows 10/11 hardened system uses:

Can you confirm which operating system you are actually using? Is it Windows 10, or is it Windows 11? Also, what process have you followed to harden the operating system?

Can you also confirm that if you revert back to the previous version of Chocolatey CLI, i.e. 1.4.0, that things start working again?

Further, looking at the report from ssllabs for community.chocolatey.org, I get the following results:

Which includes a number of the cipher suites that you say your system requires.

[gep13]

@Wolvverine I have put together a short video of how to look at the request/responses that are being used by the Chocolatey CLI in this short video:

https://youtu.be/z4CwJ-MF7ik

It would be great if you could have a watch of that video, and then grab the session archive at the time you are seeing the problem in Chocolatey CLI.

Let me know here if you run into any problems with grabbing the required information. Thanks!

[Wolvverine]

Windows 10 Enterprise

###### Enable TLS 1.2
$SChannelRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
New-Item $SChannelRegPath"\TLS 1.2\Server" -Force
New-Item $SChannelRegPath"\TLS 1.2\Client" -Force

New-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Server" -Name Enabled -Value 1 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Server" -Name Enabled -Value 1
New-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Server" -Name DisabledByDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Server" -Name DisabledByDefault -Value 0

New-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Client" -Name Enabled -Value 1 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Client" -Name Enabled -Value 1
New-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Client" -Name DisabledByDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.2\Client" -Name DisabledByDefault -Value 0

###### Enable TLS 1.3
New-Item $SChannelRegPath"\TLS 1.3\Server" -Force
New-Item $SChannelRegPath"\TLS 1.3\Client" -Force

New-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Server" -Name Enabled -Value 1 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Server" -Name Enabled -Value 1
New-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Server" -Name DisabledByDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Server" -Name DisabledByDefault -Value 0

New-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Client" -Name Enabled -Value 1 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Client" -Name Enabled -Value 1
New-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Client" -Name DisabledByDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Client" -Name DisabledByDefault -Value 0

###### Enable TLS 1.2 and 1.3 only for WinHTTP
##### https://learn.microsoft.com/en-us/answers/questions/348388/windows-10-tls-1-3-enablement-registry-keys

$WinhttpRegPath1="HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
New-ItemProperty -Path $WinhttpRegPath1 -Name DefaultSecureProtocols -Value 10240 -PropertyType DWORD
Set-ItemProperty -Path $WinhttpRegPath1 -Name DefaultSecureProtocols -Value 10240

$WinhttpRegPath2="HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"
New-ItemProperty -Path $WinhttpRegPath2"\WinHttp" -Name DefaultSecureProtocols -Value 10240 -PropertyType DWORD
Set-ItemProperty -Path $WinhttpRegPath2"\WinHttp" -Name DefaultSecureProtocols -Value 10240

New-ItemProperty -Path $WinhttpRegPath2"\WinHttp" -Name SecureProtocols -Value 10240 -PropertyType DWORD
Set-ItemProperty -Path $WinhttpRegPath2"\WinHttp" -Name SecureProtocols -Value 10240
###### Configuring .Net applications to use TLS 1.2
$RegPath1 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -path $RegPath1 -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
Set-ItemProperty -path $RegPath1 -name SystemDefaultTlsVersions -value 1
New-ItemProperty -path $RegPath1 -name SchUseStrongCrypto -value 1 -PropertyType DWORD
Set-ItemProperty -path $RegPath1 -name SchUseStrongCrypto -value 1

$RegPath3 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.5.23026"
New-ItemProperty -path $RegPath3 -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
Set-ItemProperty -path $RegPath3 -name SystemDefaultTlsVersions -value 1
New-ItemProperty -path $RegPath3 -name SchUseStrongCrypto -value 1 -PropertyType DWORD
Set-ItemProperty -path $RegPath3 -name SchUseStrongCrypto -value 1

$RegPath2 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -path $RegPath2 -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
Set-ItemProperty -path $RegPath2 -name SystemDefaultTlsVersions -value 1
New-ItemProperty -path $RegPath2 -name SchUseStrongCrypto -value 1 -PropertyType DWORD
Set-ItemProperty -path $RegPath2 -name SchUseStrongCrypto -value 1

[Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12'
[System.Net.ServicePointManager]::SecurityProtocol.HasFlag([Net.SecurityProtocolType]::Tls12)
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
[Net.SecurityProtocolType]
[enum]::GetNames([Net.SecurityProtocolType])


#### Disable TLS 1.0 and TLS 1.1
New-Item $SChannelRegPath -Name "TLS 1.0"
New-Item $SChannelRegPath"\TLS 1.0" -Name SERVER
New-ItemProperty -Path $SChannelRegPath"\TLS 1.0\SERVER" -Name Enabled -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.0\SERVER" -Name Enabled -Value 0

New-Item $SChannelRegPath"\TLS 1.1\Server" –force
New-Item $SChannelRegPath"\TLS 1.1\Client" –force
New-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Server" -Name Enabled -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Server" -Name Enabled -Value 0
New-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Server" -Name DisabledByDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Server" -Name DisabledByDefault -Value 0

New-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Client" -Name Enabled -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Client" -Name Enabled -Value 0
New-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Client" -Name DisabledByDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path $SChannelRegPath"\TLS 1.1\Client" -Name DisabledByDefault -Value 0


#####  Disable weak ciphers and algorithms
Disable-TlsCipherSuite -Name "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_GCM_SHA384"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_GCM_SHA256"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA256"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA256"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
Disable-TlsCipherSuite -Name "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
Disable-TlsCipherSuite -Name "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_RC4_128_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_RC4_128_MD5"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA256"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA"
Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_256_GCM_SHA384"
Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_128_GCM_SHA256"
Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_256_CBC_SHA384"
Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_128_CBC_SHA256"
Disable-TlsCipherSuite -Name "TLS_PSK_WITH_NULL_SHA384"
Disable-TlsCipherSuite -Name "TLS_PSK_WITH_NULL_SHA256"


$HTTPRegPath = "HKLM:\SYSTEM\CurrentControlSet\services\HTTP\Parameters"
### Enable TLS order Http2
New-ItemProperty -Path $HTTPRegPath -PropertyType 'DWORD' -Name 'EnableHttp2Tls' -Value '1'
Set-ItemProperty -Path $HTTPRegPath -Name 'EnableHttp2Tls' -Value '1'

### TLS 1.3
New-ItemProperty -Path $HTTPRegPath -PropertyType 'DWORD' -Name 'EnableHttp3' -Value '1'
Set-ItemProperty -Path $HTTPRegPath -Name 'EnableHttp3' -Value '1'

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
TLS_AES_256_GCM_SHA384

Get-TlsCipherSuite | Format-Table Name
Get-TlsEccCurve | Format-Table Name

[Wolvverine]

I passed TLS/SSL communication through Charles proxy for selected chocolatey addresses - it works.

For that for connections/adresese that do not go through SSL proxy but are from choco is: "TLSv1.2 [Failed: handshake_failure (40) - Unable to negotiate an acceptable set of security parameters, this probably means there are no cipher suites in common]"

The same situation in Fiddler. "Decrypt HTTPS traffic" and all is ok with choco.

[gep13]

@Wolvverine I can confirm that after running the hardening script that you provided above, I can replicate the issue, namely:

Unable to load the service index for source https://community.chocolatey.org/api/v2/.
Unable to connect to source 'https://community.chocolatey.org/api/v2/':
 Object reference not set to an instance of an object.

Can I ask where this hardening script came from? Is this something that you have created yourself? Or something that you have taken from another place?

It would be good to understand exactly which of the commands causes this problem though, and then further to understand why the decision was made to enable/disable the one that is causing the problem.

[pauby]

@Wolvverine I've had a look at the script and run it on Windows 10. The problematic line on my test system (Windows 10 Pro 22H2) is:

New-ItemProperty -Path $SChannelRegPath"\TLS 1.3\Client" -Name DisabledByDefault -Value 0 -PropertyType DWORD

If you run the script without that line, Chocolatey CLI can run choco upgrade all -y. But running this line of code produces the same error you are experiencing. The same code, in its entirety, causes no such issues in Windows 11 Pro 22H2.

I'm unsure why this doesn't work, but did find this suggestion that it may be a bug. It seems unlikely this is the issue, and I'm likely putting 2 and 2 together there and probably coming up with 5. But it was all I could find.

As the script / hardening is what is causing the issue, there isn't anything for us to do here, so I'm going to go ahead and close this. We can always re-open it later if needed.

[simeononsecurity]

Windows hardening enforces the use of the proper security settings while disabling potentially vulnerable ones.
While removing those keys fixes your issue in the short term. The more valid and accurate answer would to have Chocolatey support the more secure algorithms.

simeononsecurity/Windows-Optimize-Harden-Debloat#67

[blazing6saddles]

👍 Thank you @pauby ! This discovery of the "problematic line" saved my laptop. I removed that setting in my registry and, voilà, chocolatey is back in business!