CEM Clients receive connection error with TLS 1.1 or 1.2 but connect successfully with TLS 1.0

book

Article ID: 172190

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

You have Cloud Enabled Management (CEM) clients that are connecting successfully with TLS 1.0. However when you switch the clients to a later version of TLS the clients stop connecting. 

Agent logs: 
'Malformed response' type errors received from the Notification Server. 

IIS Logs on NS:
Error 500 responses to clients with TLS >1.0

Cause

Windows OS issue caused by changes in the way the trusted issuer list is being communicated to the client. 

Environment

8.0, 8.1, CEM, TLS 1.1 or greater

Resolution

Making the registry key changes on the NS as below, in line with the MS KB article referenced, resolved the issue:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Value name: SendTrustedIssuerList 
Value type: REG_DWORD 
Value data: 0 (False)

Further details: 
https://support.microsoft.com/en-us/help/2464556/failed-tls-connection-between-unified-communications-peers-generates-a