Qualys API secure channel creation failure
search cancel

Qualys API secure channel creation failure

book

Article ID: 367820

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

Whether run from a terminal or executed by the SQL Server Agent, Information Centric Analytics's (ICA) Qualys Data Import Utility fails to import new records from the Qualys API because of a connection failure. When this occurs, the following error is logged by the Qualys Data Import Utility in the QualysDataImport<yyyyMMdd>.log file and may also be captured in the SQL Server Agent history log:

[1:ERROR] Program.Main() Basic HTTP request/response is not working. The request was aborted: Could not create SSL/TLS secure channel.. Check api url, account credentials and proxy (1). Response is null
[1:ERROR] Program.Main() Encountered error.  Aborting Qualys data import...

The Windows System log also records an Schannel error (event ID 36887: A Fatal Alert Was Received) at the time of the connection failure. The error details are:

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

TLS fatal alert code 40 maps to Schannel alert token TLS1_ALERT_HANDSHAKE_FAILURE.

Environment

Version : 6.x

Component : Qualys Data Import Utility

Operating System : Windows Server 2012 R2

Cause

Windows Server 2012 R2 does not include a cipher suite required by the Qualys API for establishing a secure channel connection using the TLS 1.2 protocol.

Per Network Working Group RFC 5246:

"When a client first connects to a server it is required to send a client hello as its first message.

[...]

The CipherSuite list, passed from the client to the server in the client hello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first). Each CipherSuite defines a key exchange algorithm, a bulk encryption algorithm (including secret key length), and a MAC algorithm. The server will select a cipher suite or, if no acceptable choices are presented, return a handshake failure alert and close the connection.

[...]

After sending the ClientHello message, the client waits for a ServerHello message. Any handshake message returned by the server, except for a HelloRequest, is treated as a fatal error.

[...]

[Regarding ServerHello] The server will send this message in response to a ClientHello message when it was able to find an acceptable set of algorithms [cipher suite]. If it cannot find such a match, it will respond with a handshake failure alert."

https://datatracker.ietf.org/doc/html/rfc5246#section-7.2

NOTE: URL last validated May 15, 2024

Resolution

Windows Server 2012 R2 is no longer supported for use with ICA. Upgrade the operating system of the server hosting the Qualys Data Import Utility to Windows Server 2016, 2019, or 2022.

Additional Information

Qualys Data Import Utility Logging

Broadcom recommends installing the Qualys Data Import Utility on the server hosting Microsoft SQL Server and the RiskFabric database. The Qualys Data Import Utility log is stored in a subfolder of the Qualys Data Import Utility folder. The default path is:

%SystemDrive%\Program Files\Bay Dynamics\Qualys Data Import Utility\logs

The log file name format is:

QualysDataImport<yyyyMMdd>.log

Schannel Security Support Provider Technical Reference | Schannel Events

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786445(v=ws.11)

NOTE: URL last validated May 15, 2024

Microsoft Windows Server 2012 R2 Lifecycle

Per Microsoft, mainstream support for Windows Server 2012 R2 expired on October 9, 2018 and extended support expired on October 10, 2023. 

https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2

NOTE: URL last validated May 15, 2024

Powered by Wolken Software