[Vm-dev] SSL error on windows 7

Tobias Pape Das.Linux at gmx.de
Tue May 22 18:19:50 UTC 2018


> On 22.05.2018, at 19:19, Stephan Eggermont <stephan at stack.nl> wrote:
> 
> 
> Tobias Pape <Das.Linux at gmx.de> wrote:
>> 
> 
>> On 22.05.2018, at 17:15, Stephan Eggermont <stephan at stack.nl> wrote:
>> 
>> Is this relevant?
>> 
>> https://github.com/rust-lang/cargo/issues/5066
>> 
> 
> Yes, this sounds perfectly reasonable.
> I wonder what a proper way to deal with that would be……
> 
> Especially as the machine I have this problem on is a corporate one...

Re-reading, it may not help, either :(
This whole thing talks about WinHTTP, while we use Schannel directly. 
However, the trigger seems to be similar and the underlying reason related:

TLS 1.1 and 1.2 are simply not enabled by default in Windows 7:

	https://www.smartftp.com/support/kb/enable-tls-12-on-windows-7-f2679.html

However, reading

	https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

indicates
"To enable the system to use the protocols that will not be negotiated by default (such as TLS 1.1 and TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in the following registry keys under the Protocols key:

	• SCHANNEL\Protocols\TLS 1.1\Client
	• SCHANNEL\Protocols\TLS 1.1\Server
	• SCHANNEL\Protocols\TLS 1.2\Client
	• SCHANNEL\Protocols\TLS 1.2\Server
Warning The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential."

Ahaa. we have

	sc_cred.grbitEnabledProtocols = server ? SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER : 0;

Lemme see.

Ok, please test 90e663ad7 when appveyor is done :)

Thanks a lot, Stephan, thanks to you, this only took 10 minutes or so..

Best regards
	-Tobias




More information about the Vm-dev mailing list