|
COMAddin Dev
Guest
|
My Expertise Level : New-Bee : Apologies in Advance for anything Non-ADX or Obvious / Trivial
Background:
- We have a ADX Addin for which I have used Click Twice Deployment (MSI).
- Currently we, using the .Net 4.5 as the target framework.
- When we use the Click Twice Deployment for Auto-upgrades process described in the documentation on a localhost hosted "Installation Url". All works well as its a http url.
Problem:
- However, When we host the addin on to our servers which have urls like "https://download.mysite.com/abc/MyAddin4".
We get error like below :
Application Domain: ....updater.exe
Assembly Codebase: file:///C:/Users/../AppData/Local/.../77E0137504ED4437B438AD95A256769F78/2.0.0/....updater.exe
Assembly Full Name: .....exe, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4416dd98f0xxx
Assembly Version: 1.0.0.0
Exception Source: System
Exception Type: System.Net.WebException
[B]Exception Message: The request was aborted: Could not create SSL/TLS secure channel.[/B]
---- Stack Trace ----
at System.Net.WebClient.DownloadFile(Uri address, String fileName)
at System.Net.WebClient.DownloadFile(String address, String fileName)
at AddinExpress.Projects.Common.Utilities.DownloadFile(String url, String destFile, IWebProxy proxy)
at AddinExpress.Projects.Common.Utilities.CheckForUpdates(Object module, String url, IWebProxy proxy, String appDir, CTVersionInfo& versionInfo, String currentVersion, String currentLanguage)
at AddinExpress.Deployment.Updater.ADXUpdaterModule.CheckForUpdates(CTVersionInfo& versionInfo)
at AddinExpress.Deployment.Updater.UpdaterEngine.updateWorker_DoWork(Object sender)
What I know
- If I understand this problem really isn't really ADX Specific but since the download triggered using ADX Code I thought of posting here to get some expert advice handling .
- So, The problem seems to be that until .Net 4.5 the TLS 1.2 was not enabled by default and someone had to write code like this :
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
- I actually wrote a sample code to download the update manually like this using a test script and without above statement I got the same error The request was aborted: Could not create SSL/TLS secure channel.[I]
- At this point after doing lot of searching on forums & google seems I seem to have the following options:
1) Somehow Manage to add this -> [I]ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; before the DownloadFile Call. However I am not sure how to do this.
2) Use .Net 4.6 for my Project. (Which as per my reading defaults to using 1.2 TLS). We tried this but this seems to still give us the same error.
3) Have some registry entries added that will force the use of the TLS 1.2 (or whatever is the latest) something this package seem to do / document. https://github.com/TheLevelUp/pos-tls-patcher#net-4x
Now, The last option would definitely need Admin Rights to have things working So I believe its out of question. But I did add these entries manually and tested and the upgrade works if I do that.
Question
My Question is what should I be doing to resolve this ?
Any other ways I am missing ? |
|
Posted 11 Nov, 2019 07:25:35
|
|
Top
|
|
TheNewCOMAddin Dev
Guest
|
Do let me know any inputs on this :
Following options were explored but this has not worked out either when implemented or was not feasible for our use case - Add registry values : Since these are HKLM type and would need elevated permissions this is out of question for us. (details here: )
- Add the line like : ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; : We did confirm that this works when we manually try to download the same file via sample code.
ADX Team: Do you have any provision for this ?
- AppContext Switch Flag : We tried adding the following lines : This somehow does not seem to affect
<appSettings>
<add key="AppContext.SetSwitch:Switch.System.Net.DontEnableSchUseStrongCrypto" value="false"/>
<add key="AppContext.SetSwitch:Switch.System.Net.DontEnableSystemDefaultTlsVersions" value="false"/>
</appSettings>
We also tried a <runtime> setting:
<runtime>
<AppContextSwitchOverrides
value="Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime> |
|
Posted 12 Nov, 2019 06:05:07
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18662
Joined: 2006-05-11
|
|
Posted 12 Nov, 2019 06:11:08
|
|
Top
|
|
TheNewCOMAddin Dev
Guest
|
Hi Andrei,
Thanks for the reply.
Executing the following in window powershell:
PS C:\WINDOWS\system32> [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls
We do see this to be the issue as you mentioned and created a sample addin with a button to download the file and when we use the similar code to download we can replicate this issue, we see the only way around it seems to be to use :
System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; or something similar
Which seems (if I am not wrong) to for enable TLS 1.2.
So how do I tell the this to the "updater" application and force it to enable it ? Any workarounds ?
Thanks
again. |
|
Posted 12 Nov, 2019 07:22:01
|
|
Top
|
|
TheNewCOMAddin Dev
Guest
|
Hello ADX Team,
Kindly help us on this. Is there some provision to specify the TLS version or force the latest.
From What I understand the solutions to this problem, seem to be one of these :
1) The "Updater" application should have these in its config file so as to force use of Strong Crypto.
<runtime>
<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime
2) System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
or equivalent code before the DownloadFile call.
Thanks |
|
Posted 13 Nov, 2019 06:02:22
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18662
Joined: 2006-05-11
|
Hello,
The updater is built using .NET 2.0 which doesn't support Tls11 and Tls12. We will think on how we would fix this. As to now, you should use a channel that supports Ssl3 or Tls only.
Andrei Smolin
Add-in Express Team Leader |
|
Posted 13 Nov, 2019 06:11:37
|
|
Top
|
|
TheNewCOMAddin Dev
Guest
|
Hi Andrei,
Thank you for confirming this.
Do you any any timeline for TLS1.2 support for the updater ?
Also, If you could elaborate on this "As to now, you should use a channel that supports Ssl3 or Tls only."
What options do you suggest for now.
Thanks |
|
Posted 18 Nov, 2019 22:58:47
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18662
Joined: 2006-05-11
|
Hello,
TheNewCOMAddin Dev writes:
Do you any any timeline for TLS1.2 support for the updater ?
I expect a fix for this issue will be available in 3-4 weeks.
TheNewCOMAddin Dev writes:
Also, If you could elaborate on this "As to now, you should use a channel that supports Ssl3 or Tls only."
For now, you can use a server that doesn't require using TLS 1.2.
Andrei Smolin
Add-in Express Team Leader |
|
Posted 19 Nov, 2019 05:08:29
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18662
Joined: 2006-05-11
|
Hello All,
An update: A new build is expected in 2-3 weeks after the New Year.
Andrei Smolin
Add-in Express Team Leader |
|
Posted 24 Dec, 2019 06:09:54
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18662
Joined: 2006-05-11
|
Hello All,
I've reopened this topic to post an update that I should have posted a while ago:
You can specify the TLS used right in the constructor of the ADXClickOnceModule/ADXClickTwiceModule (you need to add them to your project) or in the constructor of the add-in module:
ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
If you have no SecurityProtocolType.Tls11 and/or SecurityProtocolType.Tls12 declared in the .NET Framework version you are using, use numeric values:
ServicePointManager.SecurityProtocol =
SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls
| (SecurityProtocolType)768 /*Tls 1.1*/
| (SecurityProtocolType)3072 /*Tls 1.2*/
| (SecurityProtocolType)12288 /*Tls 1.3*/;
Andrei Smolin
Add-in Express Team Leader |
|
Posted 01 Dec, 2020 06:07:56
|
|
Top
|
|