Affected Environments

  • Pharos Blueprint Enterprise 5.0 (any service pack level)
  • Pharos Blueprint Enterprise 5.1 (any service pack level)
  • Pharos Blueprint Enterprise 5.2 R1 (any service pack level)
  • Pharos Blueprint Enterprise 5.2 R2 (any service pack level)
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016

 

Problem Statement

When installing Blueprint 5.x the initial Tracker and EDI web service tests fail with the message "The underlying connection was closed: an unexpected error occurred on a receive." There may also be a message about "unexpected error occurred on a send."

 

TesterError.png

 

Cause

This error happens because SSL is enabled for the Tracker web service (where it is optional) and the EDI web service (where it is enabled by default and required). However, the server has not been enabled to support any cipher (TLS 1.0, 1.1, or 1.2; 1.2 is only compatible with Blueprint Enterprise 5.2 R1 Service Pack 3 or Blueprint Enterprise 5.2 R2). This is normally due to a Group Policy Object (GPO) setting or the default operating system image in the organization has disabled/removed the SChannel protocols in Windows Registry.

 

Resolution

The necessary ciphers can be enabled using Windows Registry.

  1. Launch RegEdit.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. Within there, look for TLS 1.0 and TLS 1.1.
    TLS_Registry.png
  3. Expand each to expose the Client and Server subkeys. If these keys are not there, use the attached file "CreateTLS1.1.txt" as a basis for an import into the Microsoft Windows Registry.
  4. When selected, the key will have a value, "Enabled". Change it to a Hexadecimal value of 1. Ensure that each subkey's "Enabled" value is set to 1 for TLS 1.0 and 1.1. If necessary, only TLS 1.1 needs to be enabled.
  5. When completed, restart the server.

 

From this point, the SSL-enabled web services will pass their tests.

 

Reference

The following Microsoft article discusses cipher support in the various Windows operating systems and the Windows Registry settings that support them. TLS-SSL Settings | Microsoft Docs

Additionally, Pharos Blueprint Enterprise (and other Pharos Systems applications) are .NET version-dependent. This means that a specific .NET version support of an SChannel cipher must also be considered. Below follows a table listing the cipher support by operating system version. When the value is ON, this implies the default configuration unless affected by Group Policy.

 

Windows versionSSL2 ClientSSL2 ServerSSL3 ClientSSL3 ServerTLS 1.0 ClientTLS 1.0 ServerTLS 1.1 ClientTLS 1.1 ServerTLS 1.2 ClientTLS 1.2 Server
Windows Vista SP2 and Windows Server 2008 SP2OffOnOnOnOnOnN/AN/AN/AN/A
Windows 7 SP1 and Windows Server 2008 R2 SP1OffOnOnOnOnOnOffOffOffOff
Windows Server 2012OffOffOnOnOnOnOnOnOnOn
Windows 8.1 and Windows Server 2012 R2 OffOffOnOnOnOnOnOnOnOn
Windows 10OffOffOnOnOnOnOnOnOnOn
Windows 10 (1511)OffOffOnOnOnOnOnOnOnOn
Windows 10 (1607) and Windows Server 2016N/AN/AOffOffOnOnOnOnOnOn

Source: https://support.microsoft.com/en-us/help/3154519/support-for-tls-system-default-versions-included-in-the-net-framework. Note that systems utilizing .NET 3.5/2.0 will require the addition and enablement of the "SystemDefaultTlsVersions" Registry key after Service Pack 2 for this version of .NET has been applied.