CloudSOC JsonImporter fails with the error 'Could not create SSL/TLS secure channel'

book

Article ID: 210427

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

The Information Centric Analytics (ICA) JsonImporter fails to pull any data from Symantec CloudSOC and returns the error 'Could not create SSL/TLS secure channel'. The importer logs provide the following details:

JsonImporter.exe [1:ERROR] ApiClient.LogError() System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at System.Threading.Tasks.Task`1.get_Result()
   at JsonImporterUtils.ApiClient.GetResponse(Endpoint endpoint, IRequest request, Func`4 fParseAction)
---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---<---

Cause

The JsonImporter is dependent on its host operating system's TLS ciphers to establish a connection. Following best practices, Symantec reduced the list of TLS encryption ciphers available to CloudSOC API endpoints at the time it migrated Symantec CloudSOC to the Google Cloud Platform (GCP) on Feb 19, 2021. As a consequence of this change, the TLS ciphers used by Windows Server 2012 R2 were disabled. Because Windows Server 2012 R2 reached mainstream End of Support (EOS) on October 9, 2018, its cipher list has not been updated. Note that later versions of Windows Server (e.g., 2016, 2019) are not affected by this change.

The following is a list of currently supported cipher suites:

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Environment

Import Utility: JsonImporter 1.x

Operating System: Windows Server 2012 R2

Resolution

The recommended resolution is to run the JsonImporter on a server running Windows Server 2016 or later.

To facilitate the transition to GCP and migration from Windows Server 2012 R2, the following API endpoint supporting a compatible ciphers list is available for temporary use:

http://api-direct.casb.protect.broadcom.com/tenant_name

The following script will update the ApiUrl column in the ApplicationSettings table in the CloudSOCDW database to use this URL. Note that each URL's tenant_name value in this script must be edited to use your company's tenant name:

USE     CloudSOCDW
UPDATE  ApplicationSettings
SET   ApiUrl = REPLACE(ApiUrl,'https://api-vip.elastica.net/tenant_name','https://api-direct.casb.protect.broadcom.com/tenant_name')
;

This alternative URL is temporarily available through the end of March 2021 while Broadcom enables support for the deprecated ciphers via the default URL. Please note, however, that Broadcom does not guarantee continued support for the ciphers required by Windows Server 2012 R2; the list of supported cipher suites is regularly reviewed and updated depending on vulnerabilities found with each cipher. The best method for ensuring future compatibility is to use a version of Windows Server that is within its mainstream support window in order to receive all available updates from Microsoft.

Additional Information

Supported TLS Cipher Suites for Windows 2012 R2:

https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1

Windows Server 2012 R2 Support Dates:

https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2