Join Log in
Score:0
Joel Stephens avatar Server

Powershell could not create ssl/tls secure channel, OS supported ciphers not used

py flag
Joel Stephens

I am trying to use powershell to connect to a dns service desec.io from a Windows server 2012 R2 server but the connection is failing with the error The request was aborted could not create ssl/tls secure channel. I used wireshark to inspect the hello packet to make sure a TLS 1.2 connection was being used and to look at the list of ciphers that are sent. My server is sending this list of ciphers when attempting to connect:

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

I used ssllabs to inspect the website and determine what ciphers it wants to use. This is the list of ciphers the website will accept:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS  128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS  256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH secp521r1 (eq. 15360 bits RSA)   FS 256

Looking at the above cipher lists it is obvious why the connection fails since there is no matching cipher between client/server. My question is that according to this Microsoft page: https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1 The ciphers TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 are supported on Windows server 2012 R2 and should be enabled by default. I even used the IISCrypto tool to verify that these ciphers are listed and set to enabled. So why would powershell not send these ciphers? FYI: I don't think powershell itself is relevant here because I get a similar error and failed connection if I try to visit this site from Internet Explorer.

283
0 + 5
ssl
cn flag
Greg Askew
Can you provide the output of `wmic qfe get hotfixid,installedon` ?
0
Reply
Joel Stephens avatar
py flag
Joel Stephens
Output is too long for a comment. Here are the more recent entries in the list: `KB5008883 3/9/2022 KB5009624 3/9/2022 KB5010419 3/9/2022 KB5010462 3/9/2022 KB5011564 3/9/2022 KB5012124 4/14/2022 KB5012170 8/10/2022 KB5012670 4/14/2022 KB5012672 4/14/2022 KB5013631 5/12/2022 KB5014025 5/12/2022 KB5014633 6/16/2022 KB5016264 7/13/2022 KB5016370 8/10/2022 KB5017038 9/15/2022 KB5017398 9/15/2022 KB5018519 10/12/2022 KB5018922 10/12/2022 KB5020620 11/9/2022 KB5020878 12/15/2022 KB5021294 12/15/2022`
0
Reply
Joel Stephens avatar
py flag
Joel Stephens
Here is a paste bin link to the full output: https://paste-bin.xyz/971767
0
Reply
Joel Stephens avatar
py flag
Joel Stephens
@GregAskew I meant to mention you in the previous comment. Not sure if it is necessary.
0
Reply
Joel Stephens avatar
py flag
Joel Stephens
@GregAskew Anything interesting in the output you requested?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.