Ibrahim AKSIT ha scritto il 14/07/20 alle 21:30:
Hello dear there all, Regarding the Windows TLS issue I have used the tool on https://www.nartac.com/Products/IISCrypto/ site and restart it. Everything worked like a charm. Hope this is going to work for you as well. Have a great day. Thank you very much indeed!
IISCrypto say it is compatible with "Windows Server 2008, 2012, 2016 and 2019" but more over I can even read "IIS Crypto updates the registry using the same settings from this article[¹] by Microsoft.". The MS article says that the registry settings found on the article are compatible with "Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003 Standard Edition (32-bit x86), Microsoft Windows Server 2003 Web Edition, Microsoft Windows XP Professional, Microsoft Windows XP Home Edition". I can't find win7... any way I have run it on a win7 client: all settings seems to be checked so all protocols seems to be supported until TLS 1.2 and SSL 3.0. I have selected the best practices template that disable old protocols, I have selected all protocols even old ones, applyed and rebooted the win7 client but nothing changed but the fails log are ever the same:
(4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xbe242a7dbdc83389 (4) eap: Finished EAP session with state 0xbe242a7dbdc83389 (4) eap: Previous EAP request found for state 0xbe242a7dbdc83389, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: TLS_accept: Need to read more data: error (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: In SSL Handshake Phase (4) eap_peap: In SSL Accept mode (4) eap_peap: SSL Application Data (4) eap_peap: ERROR: TLS failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap: Sending EAP Failure (code 4) ID 236 length 4 (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid
I have tried to run IISCrypto to a win10 client but the protocols supported seems to be the same... I'm very confused... :? Piviul [¹] https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-c...