Summary

When FlexNet Beacon Server is only using TLS v1.2, policy download fails and the Beacon Engine is no longer able to communicate to the Application Server

Symptoms

When disabling SSL 3.0 and TLS 1.0 , the Beacon Engine is still trying to communicate over the older protocol according to the following line in the BeaconEngine.log file: [psClientSecurityPolicy|Async] [INFO ] Security protocols Ssl3, Tls are in use.

Policy downloads will fail as following:
2018-01-08 11:26:13,003 [Services.PolicyService|policy] [ERROR] Failed to download policy.
Flexera.SaaS.Transport.Core.ComplianceApiFatalException: Download failed for item https://fnmsbatchuat.FlexDemo.com/inventory-beacons/api/policy/?BeaconUID={25E6AD55-0000-48C2-0000-F75DA5FB384C} (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
at System.Net.TlsStream.UnsafeBeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
at System.Net.PooledStream.UnsafeBeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback callback, Object state)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Flexera.SaaS.Transport.Rules.PolicyClient.DownloadPolicy(String currentVersion, String inventorySettingsRevision)
at Flexera.Beacon.Engine.Services.PolicyService.GetPolicyFromServer(Int32 currentRevisionNumber, String inventorySettingsRevision)
at Flexera.Beacon.Engine.Services.PolicyService.UpdatePolicy(IActivityLogger activityLogger)

Cause

Microsoft .NET Framework v4.5.x and below are using a weak encryption cipher that is not compatible with TLS v1.1 and 1.2, but we have seen the same behaviour in .NET v4.6.x that comes with Windows Server 2016 as well.

Microsoft has a KB Article in regards to older .NET Framework below:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358

Workaround

The workaround is to force Microsoft .NET Framework to use a strong cipher by adding the following Registry Key:

1. Open RegEdit.exe as an Administrator
2. Navigate to the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
3. Right click in an empty area and create a DWORD value named SchUseStrongCrypto and give it a value of 00000001
4. Once that is complete, restart the FlexNet Beacon Engine service and you should starting seeing this line in the BeaconEngine.log file instead:

Additional Information

Additional changes to the Beacon may be required in order to force TLS 1.1 or 1.2 on your beacon.  Please review  for further our article on Transport Layer Security (TLS) configuration.

Additionally, we also have an article to secure your estate with HTTPS and TLS which goes into further detail about setting up the certificates and other TLS related information.