Getting 'The connection with the server was terminated abnormally' while doing a clone after disabling SSL2, SSL3 and TLS1.0

[jeffrey-opdam]

We have a local TFS 2017 Update 2 running and use libgit2sharp to do some automation with git.
We recently turned off SSL2, SSL3, TLS1.0 and turned on TLS1.1 and TLS1.2, security related.

Unfortenately this results in error when we do a clone:
The connection with the server was terminated abnormally.

I am guessing it wants TLS1.0, is there a way I can force it to use TLS1.2.

libgit2sharp version 0.24.0.0

[jeffrey-opdam]

After a good night sleep:

libgit2 uses winhttp. For winhttp you can use registry entries to direct which TLS versions can be used:

I added:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisableByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisableByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00

[ethomson]

Thanks Jeffrey for the report and the details. You're exactly right that we use winhttp here - I was unaware of these registry keys.

But I'm surprised that they need to change - doesn't IE and Edge also use WinHTTP? They presumably enable these TLS versions by default.

Should we be doing more to configure WinHTTP, I wonder? 🤔

[bording]

@jeffrey-opdam What version of Windows are you using?

@ethomson TLS on Windows is kind of weird, and somewhat difficult to figure out the current state of. TLS 1.1 and 1.2 were only enabled by default in Windows 8.1 and 10 (and the equivalent server versions) until a patch was released for Windows 7: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Even with that patch, you still have to manually add the DefaultSecureProtocols registry key to have 1.1 and 1.2 be enabled by default.

Given that, I think it does make sense to configure WinHTTP to use the newer versions explictily vs. relying on the defaults.

That would actually have to be done in libgit2 itself, since that's where the default http transport code is, right?

[ethomson]

That would actually have to be done in libgit2 itself, since that's where the default http transport code is, right?

Yes, I agree, that would be the correct place to make this change.

[jeffrey-opdam]

@bording Yes it is Windows 7; But I do not find the DefaultSecureProtocols registry key on my Windows 10 laptop either.

I think it would be better to do it in libgit2 and let it flow from libgit2sharp.

[ethomson]

@jeffrey-opdam Curious did IE / Edge work before you changed the registry?

And I'm also curious if libgit2/LibGit2Sharp on Windows 10 works without changes to the registry?

[bording]

@bording Yes it is Windows 7; But I do not find the DefaultSecureProtocols registry key on my Windows 10 laptop either.

Yes, that is to be expected. Registry keys are usually not set if you're just using the default value for the key. It will only be there if it's been set to something other than its default value.

The difference between 7 and 10 is what the default value for that key is if it isn't set. The patch for 7 added the key, but didn't actually make TLS 1.1 and 1.2 enabled by default, which is why you still have to add the key to enable them.

However, Windows 10 does enable them by default, so you don't need the key to override the defaults.

[ethomson]

We changed libgit2 to explicitly enable TLS 1.2, so we've inherited that functionality.