WebDeploy 3.6 won’t connect with TLS 1.0 disabled

iis-8.5tls

Recently I had my servers audited for PCI compliance.

As part of this I was picked up for not having TLS 1.0 disabled as per:

http://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf

When I disable TLS 1.0 using IISCrypto Web Deploy breaks.

Has anyone found a WebDeploy 3.6 fix for using WebDeploy without TLS 1.0?

Best Answer

We added registry keys to force the .NET app pool over to TLS 1.2. This was to allow an app to talk to Salesforce after SF issued a critical update disabling TLS 1.0. The registry keys apply to the whole server as opposed to a single site, unfortunately. The build broke for the reason you indicate above. This worked for us:

Getting WebDeploy working after disabling insecure Ciphers like SSL 3.0 and TLS 1.0

Excerpt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

Related Topic