Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

“Could not create SSL/TLS secure channel,” but TLS 1.2 is enabled after running Windows-Optimize-Harden-Debloat script #3306

Closed
5 tasks done
SkullHex2 opened this issue Aug 21, 2023 · 3 comments

Comments

@SkullHex2
Copy link

Checklist

  • I have verified this is the correct repository for opening this issue.
  • I have verified no other issues exist related to my problem.
  • I have verified this is not an issue for a specific package.
  • I have verified this issue is not security related.
  • I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

important: this has been happening ever since I used Windows-Optimize-Harden-Debloat. More info on this in Additional Context.

> sudo choco upgrade all
Chocolatey v2.2.2
Upgrading the following packages:
all
By upgrading, you accept licenses for the packages.
Unable to load the service index for source https://community.chocolatey.org/api/v2/.
The request was aborted: Could not create SSL/TLS secure channel.
For more information on this issue and guidance in resolving the problem, see https://ch0.co/t/svcidx
Unable to connect to source 'https://community.chocolatey.org/api/v2/':
 Object reference not set to an instance of an object.

chocolatey was not found with the source(s) listed.
 If you specified a particular version and are receiving this message, it is possible that the package name exists but the version does not.
 Version: ""; Source(s): "https://community.chocolatey.org/api/v2/"

Chocolatey upgraded 0/1 packages.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Warnings:
 - chocolatey - chocolatey was not found with the source(s) listed.

What is Expected?

sudo choco upgrade all executes correctly, checking if each of the installed packages can be upgraded.

How Did You Get This To Happen?

  1. Run .\sos-optimize-windows.ps1 -firefox:$False -onedrive:$False -windows:$False (additional arguments are most likely unnecessary)
  2. Reboot
  3. Run sudo choco upgrade all (with gsudo installed)

System Details

  • Operating System: 10.0.19044.0
  • Windows PowerShell version: 7.4.0-preview.4
  • Chocolatey CLI Version: 2.2.2
  • Chocolatey Licensed Extension version: don't know, the output is Chocolatey v2.2.2 and 0 packages installed
  • Chocolatey License type: Free (i.e. Open Source here)
  • Terminal/Emulator: Windows Terminal

Installed Packages

N/A

Output Log

https://gist.github.com/SkullHex2/246bfea3b2a65b94d0012ca11f5306d9

Additional Context

First off, about the script that broke everything: I've already submitted an issue in that repository. I hope Chocolatey's log is enough to understand what happened, without having to skim through the entire script.
What I've already tried:

@pauby
Copy link
Member

pauby commented Aug 23, 2023

@SkullHex2

important: this has been happening ever since I used Windows-Optimize-Harden-Debloat. More info on this in Additional Context.

As this has been happening since you ran the script, the issue will be the script and what it does and not Chocolatey CLI. This isn't something we support or provide guidance on.

Have a look at this issue and in particular this comment.

@pauby pauby changed the title “Could not create SSL/TLS secure channel,” but TLS 1.2 is enabled “Could not create SSL/TLS secure channel,” but TLS 1.2 is enabled after running Windows-Optimize-Harden-Debloat script Aug 23, 2023
@SkullHex2
Copy link
Author

Sorry, I thought this was relevant as TLS is still enabled, and the log doesn't give you much to go on by saying Could not create SSL/TLS secure channel.
With a single comment you have been more helpful than the script's author, as I managed to fix the issue by removing the following keys:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client

Thank you.

@simeononsecurity
Copy link

Windows hardening enforces the use of the proper security settings while disabling potentially vulnerable ones.
While removing those keys fixes your issue in the short term. The more valid and accurate answer would to have Chocolatey support the more secure algorithms.

simeononsecurity/Windows-Optimize-Harden-Debloat#67

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants