TLS support for Duo applications and TLS 1.0 and 1.1 end of service

akoretsky · ‎07-18-2023

Struggling to make duo-rdgateway-2.3.0 connect from my RDP gateway (Windows Server 2012R2) to Duo. Followed TLS 1.2 enablement guidelines and observing test below reaching Duo successfully with TLS 1.2 in the network traces. However, all connections attempts by the DuoTsgPlugIn.dll are initiated with TLS v1.

IIS Crypto shows only 1.2 enabled. Any suggestions how to tell DuoTsgPlugIn to use 1.2?

StatusCode : 200
StatusDescription : OK
Content : {"response": {"time": 1689651728}, "stat": "OK"}
RawContent : HTTP/1.1 200 OK

DuoKristina · ‎07-19-2023

IISCrypto shows the OS settings. Did you also verify that TLS 1.2 is on for the .NET used by Duo TSG via the registry?

See here: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net

Guide to TLS support for Duo applications and TLS 1.0 and 1.1 end of support

We have a PowerShell script that will check all the registry settings for crypto and output the current values. See here: How do I use the Support Script for Duo's Windows Applications?

Duo, not DUO.

akoretsky · ‎07-19-2023

Thank you. I went trough the https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net doc several times. Ran the Powershell script and it shows 1's in the .NET settings. Several reboots and uninstall/install duo-rdgateway-2.3.0.msi. Still failing with TSG to Duo network traces showing TLSV1

7/19/2023 9:39:10 PM - System Proxy: No System Proxy
7/19/2023 9:39:10 PM - Browser Proxy: No Browser Proxy
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - TLS Check
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - TLS 1.0 DisabledByDefault: 1
7/19/2023 9:39:10 PM - TLS 1.0 Enabled path does not exist in the registry
7/19/2023 9:39:10 PM - TLS 1.1 DisabledByDefault: 1
7/19/2023 9:39:10 PM - TLS 1.1 Enabled path does not exist in the registry
7/19/2023 9:39:10 PM - TLS 1.2 DisabledByDefault: 0
7/19/2023 9:39:10 PM - TLS 1.2 Enabled: 1
7/19/2023 9:39:10 PM - TLS 1.3 path does not exist in the registry
7/19/2023 9:39:10 PM - SSL 2.0 DisabledByDefault: 1
7/19/2023 9:39:10 PM - SSL 2.0 Enabled: 0
7/19/2023 9:39:10 PM - SSL 3.0 DisabledByDefault path does not exist in the registry
7/19/2023 9:39:10 PM - SSL 3.0 Enabled path does not exist in the registry
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - Strong Cryptography Check
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions is: 1
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto is: 1
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions is: 1
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto is: 1
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - DUO API check
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:11 PM - Connectivity Response to Duo API : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'; frame-src 'self' ; img-src 'self' ; connect-src 'self'
Content-Length: 48
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 20 Jul 2023 02:39:10 GMT
ETag: "06c8931652e71fd2e63d2172634cf284b90530c5"
Server: Duo/1.0

{"response": {"time": 1689820750}, "stat": "OK"}
7/19/2023 9:39:11 PM - ==============================================================================
7/19/2023 9:39:11 PM - Custom API check
7/19/2023 9:39:11 PM - ==============================================================================
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoADFS path does not exist in the registry
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoRdweb path does not exist in the registry
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoTsg does not have a Version or DuoVersion property
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoOwa path does not exist in the registry
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoIis path does not exist in the registry
7/19/2023 9:39:11 PM - Connectivity Response to Duo HKLM:\SOFTWARE\Duo Security\DuoTsg : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'; frame-src 'self' ; img-src 'self' ; connect-src 'self'
Content-Length: 48
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 20 Jul 2023 02:39:11 GMT
ETag: "e2b881b41e7d1ca1f9ef0ab97519725f82b8b47c"
Server: Duo/1.0

{"response": {"time": 1689820751}, "stat": "OK"}
7/19/2023 9:39:11 PM - ==============================================================================

DuoKristina · ‎07-20-2023

Hmm, weird. I recommend you open a case with Duo Support if you have not already. You can send your packet capture and the script output to the technical support engineer.

Duo, not DUO.

akoretsky · ‎07-21-2023

Thank you, Kristina. Does not look the account tier I am using offers any form of support:

DuoKristina · ‎07-25-2023

Try emailing support@duo.com.

Duo, not DUO.