SSL standards are changing, and older SSL/TSL protocols are slowly being deprecated, or even turned off by some services. This post shows how to enable TLS 1.2 support in Continua CI.
Yesterday, we started getting reports that the Github Status event handler, and the Github Status action in Continua CI had stopped working.
Sure enough, in our testing here we were able to confirm the case. While testing this under the debugger, the error we were seeing was rather strange : "The request was aborted: Could not create SSL/TLS secure channel.".
After some research, we found this error was due to being unable to negotiate a common protocol between the client and the server.
Now Continua CI 1.x is built with .NET 4.0 (v2 will be on 4.7.1) - we know that .NET 4.0 doesn't support TLS 1.2, and a quick check of the github api server using SSLLabs shows that they now
only support TLS 1.2.
I wondered if this was announced by github - turns out they did announce this 3 weeks ago :
Weak cryptographic standards removal notice
and yesterday they permanently disabled TLS 1.0 and 1.1
Weak cryptographic standards removed
Anyway, back to Continua CI. The good news is that there is a way to enable TLS 1.2 support in Continua CI. Note that this only works when running on Windows Server 2008 or later (Server 2003 does not support TLS 1.2 at all, and we will be dropping support
for it with v2).
1) Install .Net Framework 4.5 or later - since all 4.x frameworks effectively replace 4.0 - 4.5 has support for TLS 1.2
2) Edit %ProgramFiles%\VSoft Technologies\ContinuaCI\Server\Continua.Server.Service.exe.config on the server and %ProgramFiles%\VSoft Technologies\ContinuaCI Agent\Continua.Agent.Service.exe.config on each agent - add the following line in appSettings section :
<add key="Continua.Service.SecurityProtocolType" value="Tls|Tls11|Tls12" />
Note that the key supports the following values: Ssl2|Ssl3|Tls|Tls11|Tls12|Default
Default = Ssl3|Tls
Multiple protocols can be separated with |
The value "Tls|Tls11|Tls12" will allow Continua CI to work with services that do not support or have not enabled TLS 1.2, and with services that only support TLS 1.2 .
3) Open Regedit and add the following value to : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 : SchUseStrongCrypto type DWORD value 1
4) Restart the Server and Agent Services.
5) You may need to restart your server(s) for the registry change to take effect.
One last note : This change also effects the communication between the Continua CI Server and agents, if you make the change on the server, make sure you make a compatible change on the agents.