I have 2 windows servers that have gone through a PCI lockdown and after completing the lockdown and restarting the servers Duplicati is now failing with the error: An existing connection was forcibly closed by the remote host.
Please could someone advise on the ciphers requirements for Duplicati so i can re-instate?
I have no idea of what you can mean by ‘requirements for Duplicati’. Duplicati is connecting to a Http service through its .NET network stack, and the used ciphers are controlled centrally at the Operating System level - else your changes would not have had any impact (if Duplicati was using a client-level custom network stack). So Duplicati don’t connect to Duplicati, it is connecting to an Internet service called OneDrive.
What you have to do is to go to a ssl verification service such as ssllabs (SSL Server Test (Powered by Qualys SSL Labs)) and to paste your service URL (that should be apis.live.net), check the used ciphers, compare them to the ones that you setup in your ‘PCI lockdown’, and see which ones you can use.
Cipher Suites in TLS/SSL (Schannel SSP)
It’s whatever your Windows version needs for whatever SSL/TLS version it uses after the hint:
--allowed-ssl-versions (Flags): Sets allowed SSL versions
This option changes the default SSL versions allowed. This is an advanced
option and should only be used if you want to enhance security or work
around an issue with a particular SSL protocol.
* values: Ssl3, Tls, Tls11, Tls12, SystemDefault, Tls13
* default value: SystemDefault
If that doesn’t get you there, then some lower-level network studies can be tried, e.g. in Wireshark.
Below is a sample
Client Hello. The
Server Hello response picks one, or possibly likes none.
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Version: TLS 1.2 (0x0303)
Session ID Length: 32
Session ID: c009000026a26a04837660816e3cfa208a15149d85bcf3502d71d0b7b6743e7c
Cipher Suites Length: 42
Cipher Suites (21 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
The Illustrated TLS 1.2 Connection – Every byte explained and reproduced explains the interaction.
If you don’t care about the details, An overview of the SSL or TLS handshake is a simpler summary.
There is not really a client “ciphers requirement”, but one that the client and server can get a match.
Agree. If the client offers nothing that the server will take (which seems unlikely but maybe possible), connection will not be possible. For a faster test than backup, use
Test connection for Destination.
thank you all, i have now tested and can see what im missing.