Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
WSUS can't download updates - has the TLS version used by update.microsoft.com changed?

Answered WSUS can't download updates - has the TLS version used by update.microsoft.com changed?

  • Sunday, January 20, 2013 4:41 PM
     
     
    Sign In to Vote
    0

    Hi all,

    We have WSUS running on Windows Server 2k8R2 as part of SCE2010. Recently synchronisations with update.microsoft.com have been failing (i.e., WSUS isn't downloading new updates - this is nothing to do with clients updating themselves from WSUS).

    A little investigation showed that we couldn't reach update.microsoft.com in IE until we enabled TLS versions greater than 1.0 (it worked fine in other browsers). A packet capture shows that WSUS tries https://update.microsoft.com via TLS 1.0 - after seeing this TLS version in the SSL client hello, the server sends a TCP RST and closes the connection.

    It would seem that, from these observations, https://update.microsoft.com requires TLS versions > 1.0, and WSUS isn't meeting this requirement.

    Is this correct? How can I force WSUS to use TLS 1.1 or 1.2?

    many thanks,
    alec

     

All Replies

  • Sunday, January 20, 2013 10:17 PM
     
     
    Sign In to Vote
    0

    The error reported by WSUS ties up nicely with the observations from the packet capture:

    WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.Serve

    How can I force the TLS version used by WSUS to be > 1.0?

    many thanks,

    alec

     
  • Tuesday, January 22, 2013 1:28 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    How can I force WSUS to use TLS 1.1 or 1.2?

    I am not aware of any such changes, and given that WSUS v3 SP2 is still supported on Windows Server 2003 (which does not have access to the newer versions of TLS), making that change would immediately break every WSUS server installed on Windows Server 2003. So, I suspect this is not a TLS issue, but may be manifesting as a failing SSL connection in the process:

    • Have you applied all of the recent patches to the WSUS server? to Windows Server 2008 R2? to SCE2010?
    • If you install a fresh WSUS3SP2 on Win2008R2, with all of the OS and WSUS patches, can you reproduce the issue?
    • Have you investigated all of the intervening devices between the WSUS server and the Internet. Are you sure the TCP RST is coming from update.microsoft.com, and not from something in between?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.