Affected Environments
- Pharos Blueprint Enterprise 5.0 (any service pack level)
- Pharos Blueprint Enterprise 5.1 (any service pack level)
- Pharos Blueprint Enterprise 5.2 R1 (any service pack level)
- Pharos Blueprint Enterprise 5.2 R2 (any service pack level)
- Microsoft Windows Server 2008 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016
Problem Statement
When installing Blueprint 5.x the initial Tracker and EDI web service tests fail with the message "The underlying connection was closed: an unexpected error occurred on a receive." There may also be a message about "unexpected error occurred on a send."
Cause
This error happens because SSL is enabled for the Tracker web service (where it is optional) and the EDI web service (where it is enabled by default and required). However, the server has not been enabled to support any cipher (TLS 1.0, 1.1, or 1.2; 1.2 is only compatible with Blueprint Enterprise 5.2 R1 Service Pack 3 or Blueprint Enterprise 5.2 R2). This is normally due to a Group Policy Object (GPO) setting or the default operating system image in the organization has disabled/removed the SChannel protocols in Windows Registry.
Resolution
The necessary ciphers can be enabled using Windows Registry.
- Launch RegEdit.
- Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. Within there, look for TLS 1.0 and TLS 1.1.
- Expand each to expose the Client and Server subkeys. If these keys are not there, use the attached file "CreateTLS1.1.txt" as a basis for an import into the Microsoft Windows Registry.
- When selected, the key will have a value, "Enabled". Change it to a Hexadecimal value of 1. Ensure that each subkey's "Enabled" value is set to 1 for TLS 1.0 and 1.1. If necessary, only TLS 1.1 needs to be enabled.
- When completed, restart the server.
From this point, the SSL-enabled web services will pass their tests.
Reference
The following Microsoft article discusses cipher support in the various Windows operating systems and the Windows Registry settings that support them. TLS-SSL Settings | Microsoft Docs
Additionally, Pharos Blueprint Enterprise (and other Pharos Systems applications) are .NET version-dependent. This means that a specific .NET version support of an SChannel cipher must also be considered. Below follows a table listing the cipher support by operating system version. When the value is ON, this implies the default configuration unless affected by Group Policy.
| Windows version | SSL2 Client | SSL2 Server | SSL3 Client | SSL3 Server | TLS 1.0 Client | TLS 1.0 Server | TLS 1.1 Client | TLS 1.1 Server | TLS 1.2 Client | TLS 1.2 Server |
|---|---|---|---|---|---|---|---|---|---|---|
| Windows Vista SP2 and Windows Server 2008 SP2 | Off | On | On | On | On | On | N/A | N/A | N/A | N/A |
| Windows 7 SP1 and Windows Server 2008 R2 SP1 | Off | On | On | On | On | On | Off | Off | Off | Off |
| Windows Server 2012 | Off | Off | On | On | On | On | On | On | On | On |
| Windows 8.1 and Windows Server 2012 R2 | Off | Off | On | On | On | On | On | On | On | On |
| Windows 10 | Off | Off | On | On | On | On | On | On | On | On |
| Windows 10 (1511) | Off | Off | On | On | On | On | On | On | On | On |
| Windows 10 (1607) and Windows Server 2016 | N/A | N/A | Off | Off | On | On | On | On | On | On |
Source: https://support.microsoft.com/en-us/help/3154519/support-for-tls-system-default-versions-included-in-the-net-framework. Note that systems utilizing .NET 3.5/2.0 will require the addition and enablement of the "SystemDefaultTlsVersions" Registry key after Service Pack 2 for this version of .NET has been applied.
Comments