For Web 8.5, configuring CM and CD environment to only allow security protocol TLS 1.2

- Customer has requirement to disable security protocols lower than TLS 1.2 for both CM (Content Management) and CD (Content Delivery) servers.
- Customer using Tridion 2013 SP1 HR1, .NET framework 4.0.30319, Windows Server 2008 R2 Standard, Service Pack 1.
- After disabling support for TLS 1.0 on servers, below error seen when publishing a multimedia component with external asset

An error occurred while trying to resolve URI: https://EXTERNAL_FILE_SERVER_URL/asset.mp4
The underlying connection was closed: An unexpected error occurred on a send.
Received an unexpected EOF or 0 bytes from the transport stream.

- Stacktrace snippet from Windows event log  after reproducing error is

StackTrace Information Details:
   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   at System.Net.HttpWebRequest.GetResponse()
   at Tridion.ContentManager.ContentManagement.DefaultBinaryContentProvider.WriteContentToStream(Uri uri, Stream outStream)
   at Tridion.ContentManager.ContentManagement.BinaryContent.WriteToStream(Stream binaryStream)
   at Tridion.ContentManager.ContentManagement.BinaryContent.WriteToStream(Stream binaryStream)
   at Tridion.ContentManager.ContentManagement.BinaryContent.GetByteArray()
   at Tridion.ContentManager.Templating.Engine.CreateMultimediaItem(Package package, Component component)
   at Tridion.ContentManager.Templating.Package.CreateMultimediaItem(TcmUri componentURI)
   at PLTridion.Templating.Utilities.DD4T.PLBinaryPublisher.PublishMultimediaComponent(String uri)
   at DD4T.Templates.Base.Utils.BinaryPublisher.PublishBinariesInRichTextField(String xhtml)

 

*** Known configuration changes below, depending on environment specfic requirements other configuration changes may also be required. ***
- Before making registry changes, install below Microsoft hotfixes if missing.
*RDC access will be disabled if KB3080079 is missing on a Windows 2008 server.*
*SQL Server connectivity will be disabled if relevant Windows O/S is missing hotfix.*
https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server
https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1-1-and-tls-1-2-in-windows-7-or-wind
- Verify SSL certificate from web server providing external media asset is trusted by the CM and CD servers.  If certificate is not trusted, administrator may see below error

Unable to get file size of 'https://MEDIA_FILE_SERVER/asset.mp4'
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.

- Make below registry changes to add TLS 1.2 support for Content Delivery.  Second arg is not strictly necessary but helpful for troubleshooting.

HKEY_LOCAL_MACHINE\SOFTWARE\Tridion\Content Delivery\General
Name Value
jvmarg1 -Dhttps.protocols=TLSv1.2
jvmarg2 -Djavax.net.debug=ssl:handshake:verbose

- To use TLS 1.2, Java 8 must be installed and configured on both the CM and CD servers.
- Make below registry changes to make security protocol changes (disable protocols other than TLS 1.2), also see below KB article from Microsoft
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

- Verify Microsoft .NET framework version and install .NET framework 4.5/4.6 if supported by SDL Tridion / SDL Web build.  Depending on Window O/S, this may or may not be required.

- If only TLS 1.2 is enabled for a production load balancer, then the client applications Content Porter and Template Builder will also fail to connect, as will TCMUploadAssembly.  See below KB article for a resolution.
For Web 8.5 production environment, after configuring load balancer to only allow TLS 1.2 traffic, the Content Porter, Template Builder, and TCMUploadAssembly are not able to connect
- XPM (Experience Manager) may fail to function properly if the CM and CD servers are not properly configured for TLS 1.2.  See below KB article for a detailed description of issue.
In SDL Web, editor sees error "Unable to construct Discovery Service client ... do not possess a common algorithm" when clicking Update Preview in XPM
- Worldserver connectivity issues related to TLS 1.2 configuration
After integrating Worldserver and Web and configuring servers for TLS 1.2, error "could not create SSL/TLS secure channel" seen
How do I enable TLS 1.1/1.2 on WorldServer?