Symptom
Cannot connect to servers with the error message "Could not create SSL/TLS secure channel".
Cause
The reason is that Microsoft has applied security patches [in particular KB3172605] that disallow weak Diffie-Hellman key exchanges with less than 1024 bit key lengths. This is a windows system wide security measure within the IP stack of windows and can not be circumvented by any application.
Some older Cisco servers have by default 768 bit key lengths which cause Report Tool (and anything else) to not connect with SSL (in use by HTTPS and SSH) to these servers.
Workaround
To enable weak Diffie-Hellman key exchanges, the following two workarounds can be used depending on the Windows version:
•1.) Windows 7: Uninstall security patch KB3172605 and reboot. The registry workaround does NOT work for Windows 7.
•2.) Windows 10, Server 2012R2: Add the registry key as below. Removing the patch KB3172605 is not sufficient.
1.) Detailed Steps to Remove KB3172605
On Windows 7 (32/64bit) uninstall the 'Update for Windows 7 (KB3172605). Uninstall steps are:
1.) Windows Start > Type 'Installed Updates' and <Enter> 2.) In the 'Search Installed Updates' Search box, type KB3172605, if found, select it and click Uninstall.
3.) Sometimes is not enough to uninstall KB3172605. This issue can involve KB3185278, KB3185330, KB3192391 or KB3175024. If the issue persists after uninstalling KB3172605, please try reinstalling all these updates, and then remove KB3172605 again.
2.) Detailed Steps to add a Registry Key on Windows 10 and Server 2012R2
As a workaround to enable weak Diffie-Hellman key exchanges, the following registry key must be added.
You can create this key manually with the Windows Registry Editor (type regedit.exe on a command prompt), click New Key with name = and then add a DWord entry with name ClientMinKeyBitLength and value 512 (decimal). Or save the following text into notepad and save the file as 'enable_weak_DH.reg' then double click on the file to add the key.
This settings becomes immediately active, no windows reboot is required.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman] "ClientMinKeyBitLength"=dword:00000200
|
It should look as follows in the Windows Registry Editor:
Removing the Key
|
You should delete this key by right clicking on the key and selecting Delete.
This setting affects all Windows programs, so if you leave this key, your security is reduced.
|
Please help to improve this guide! If you note any new Windows updates or other workarounds to above issue, please let us know at .
|