Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Disabling TLS 1.0 and 1.1



  • Our security team has requested that TLS 1.0 and 1.1 be disabled as they are a security risk. When I do this on our ProGet server I get the following error displayed on my NuGet feed.

    There was an error with a connector: The underlying connection was closed: An unexpected error occurred on a receive.

    If I re-enable TLS the error goes away.

    Product: ProGet
    Version: 5.0.12



  • Please review KB#1161 for instructions on how to update this


    This is OS & .NET Framework dependent.

    Many users have reported that setting the follow registry will resolved this issue:

    Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 
    Value: SchUseStrongCrypto 
    Data: 1
    

    Note that this will involve a reboot. See this guide on TLS in .NET for more information.

    Edited answer to reflect comments/discussion below



  • I'm afraid this doesn't really help. The server is already configured correctly for TLS, but ProGet doesn't work under this configuration (or at least the external connector to Nuget.org doesn't). I assume ProGet does not require TLS 1.0/1.1 so I need to understand why ProGet is giving this error when run under this configuration



  • What that article says is that programs should not set specific TLS versions (which ProGet does not) because the defaults will change as the OS is patched/updated. This means that it should be using the most secure by default, which based on the TCP error, it is not doing. Unfortunately this is symptom of applications targeting versions of the .NET Framework before v4.7 like ProGet does (it targets v4.5.2).

    We may be able to hack in a fix like we did for our Git extension in a future version, but if you want to get it working right away, follow this part of the guide: Configuring security via the Windows Registry



  • Setting the following registry setting has resolved this issue:

    Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 
    Value: SchUseStrongCrypto 
    Data: 1


  • Hello,

    I created the key in regedit, but it did not help to solve the problem.

    In fact, when I test the connection to github.com in the Proxy Configuration, I get a "Test failed: The request was aborted: Could not create SSL/TLS secure channel." error, whereas https://google.com or https://gitlab.com do work.

    Thanks for the help. :)



  • Hey!

    It did solve my problem, thank you so much!

    Have a great week-end. :)



  • For completeness, after the registry value is configured the server will likely need a reboot to take effect.



  • typo in VERY important registry path given above:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319

    should instead be:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

    (i.e., original was missing backlash between Microsoft and .NETFramework)

    fwiw, it looks like the wiki software is responsible for removing the backslash, as I had to double the blackslash for it to appear in the preview.

    Update/Edit by Inedo: thanks, we've edited the post above to be correct



  • Hello,

    I again have a problem with github.com, saying:
    "Receiving...
    Error making request.
    Error: tunneling socket could not be established, cause=getaddrinfo ENOTFOUND 8080 8080:80"

    This time, the test in proxy configuration window on ProGet is successful.



  • Please review KB#1161 for instructions on how to update this.



Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation