Skip to main content
Nintex Community Menu Bar
 

K2 and TLS 1.2 Support

KB002500

PRODUCT
K2 Cloud
K2 Five
K2 blackpearl 4.7

 

Introduction

With the PCI Security Standards Council's move to Transport Layer Security (TLS) 1.2 on the 30th of June, 2018, various 3rd-party providers are disabling the use of older TLS and SSL protocol versions in their products. 

K2 integrates with many 3rd-party providers such as Microsoft SharePoint, DocuSign, and SalesForce. With the PCI move to TLS 1.2, when a K2 solution is integrated with these providers and the system in which K2 resides is NOT configured for TLS 1.2, possible communication errors may occur.

All machines running K2 components (for example, K2 server, K2 websites) require Transport Layer Security (TLS) version 1.2. Although TLS 1.3 can exist on these machines in addition to TLS 1.2, TLS 1.3 is not fully supported by K2. K2 will not operate as expected in environments where TLS 1.3 is the only configuration available. TLS 1.3 is currently only supported by Windows 11 and Windows Server 2022. For more information, see this article: Protocols in TLS/SSL (Schannel SSP)

Configuring TLS 1.2

K2 runs under the .Net 4.6 runtime, which fully supports TLS 1.2, for both server (inbound) and client (outbound) connections.

If the server on which K2 is installed is not correctly configured for TLS 1.2, errors may occur. Below is an example of an error that may occur when TLS 1.2 is not configured correctly:
The underlying connection was closed. An unexpected error occurred on a send.
Image

To avoid these issues you have two options:

  • Minimum Requirement: Make sure that the K2 server can communicate with other services that only allow TLS 1.2
  • Maximum Protection: Force the entire server to only allow TLS 1.2 connections so that incoming and outgoing connections use this higher level of security
These changes are .NET and system-wide settings and affect all .NET applications on the server, not just K2. Be sure to test these changes in a non-production environment after making them so that you don't unexpectedly break other systems that may not support TLS 1.2.

Editing the registry incorrectly can cause system instability or crashes. You should back up the registry before making any changes, and you should be familiar with editing the registry before adding or modifying these keys.

Once you make these changes you need to restart the entire server for them to take affect.
 

Minimum Requirement

To implement the minimum requirement,  add or edit the following keys in your K2 server's registry:

Registry Path tHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path /HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path
Value SchUseStrongCrypto
Data Type DWORD
Data 00000001
 
Registry Path >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path gHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Value SchUseStrongCrypto
Data Type DWORD
Data 00000001
 
Registry Path nHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path oHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path rHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value Enabled
Data Type DWORD
Data 00000001
 
Registry Path tHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path sHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value Enabled
Data Type DWORD
Data 00000001

 

Maximum Protection

To implement the maximum protection for all .NET apps on the K2 server, including K2, configure all settings as listed in the minimum requirements section above,  and then also add or edit the following keys in your K2 server's registry:

Registry Path
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path hHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path tHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path aHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path PHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path yHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path rHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path tHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path sHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELProtocols\TLS 1.1\Client]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path iHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path gHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path eHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path RHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value Enabled
Data Type DWORD
Data 00000001
 
Registry Path >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path gHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Security\Providers\SCHANNEL\Protocols\TLS 1.2\Server]
Value Enabled
Data Type DWORD
Data 00000001

Considerations

  • If you see errors like Initialization failed before PreInit: Membership could not be verified: A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.), it might mean that one of the app pools used for a K2 site is still set to use an earlier version of the .NET framework. Use IIS Management to identify the .NET version associated with App Pools linked to the K2 sites. You may find it necessary to set these App Pools (K2_net4) to use a later version of .NET (e.g. .NET 4.0) that supports TLS 1.2+
    The legacy K2 Web Service components App Pool (K2) must run on the .NET CLR version v2.0.50727. Changing this will cause issues.

 

Be the first to reply!

Reply