Download Failures Due To WinHttpSendRequest Error 12175
search cancel

Download Failures Due To WinHttpSendRequest Error 12175

book

Article ID: 286480

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent upgrades or other files from the Resource Download Location (RDL) fail with an error similar to:

Error: Failed to download upgrade package: https://ServerAddress/hostpkg/pkg.php?pkg=/ParityHostAgent.msi. WinHttpSendRequest Error[12175:]

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions

Cause

Microsoft defines the WinHttpSendRequest Error[12175] as:

ERROR_WINHTTP_SECURE_FAILURE: 12175
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.

Typically this is because the SSL Certificate bound to the Resource Download Location is invalid (expired, incorrect Common Name, Untrusted Root, etc).

Resolution

  1. Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
  2. Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly:
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  3. Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
  4. matching set of Protocols and Cipher Suites must exist between the endpoints and the application server.
    • No settings for TLS/Cipher Suites are available in App Control and all configuration must be done at the OS layer.
    • Typically these modifications must be done via the Registry or GPO, but a tool (such as IIS Crypto) may make it easier.
    • Assistance in editing the TLS & Cipher Suites in the Operating System may require support from Microsoft.
  5. If a Proxy is in use:
    • The Agent does not officially support a Proxy and a bypass to the Server Address/RDL may be required.
    • The Agent is currently still a 32-bit application, and uses the 32-bit Proxy settings.
      • Use an administrative command prompt on the endpoint to verify a Bypass exists:
        cd C:\Windows\SysWOW64\
        netsh winhttp show proxy
        
      • If a Bypass does not exist, add one:
        netsh winhttp set proxy proxy-server="" bypass-list=;
        
      • A reboot may be required to restore the connection.
    • If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
    • If SSL Inspection is enabled the Agents will reject the modified packets.
    • If any other authentication (such as 2FA) is enabled for network traffic on ports 41002 or 443 the Agents may fail to properly communicate.
  6. If the issue persists, the certificate may need to be manually imported on the endpoints.

Additional Information

In some installations the Resource Download Location can be temporarily modified to use http:// instead of the https:// although this configuration is not recommended for security purposes.