I have 2 windows servers that have gone through a PCI lockdown and after completing the lockdown and restarting the servers Duplicati is now failing with the error: An existing connection was forcibly closed by the remote host.
Please could someone advise on the ciphers requirements for Duplicati so i can re-instate?
I have no idea of what you can mean by ârequirements for Duplicatiâ. Duplicati is connecting to a Http service through its .NET network stack, and the used ciphers are controlled centrally at the Operating System level - else your changes would not have had any impact (if Duplicati was using a client-level custom network stack). So Duplicati donât connect to Duplicati, it is connecting to an Internet service called OneDrive.
What you have to do is to go to a ssl verification service such as ssllabs (SSL Server Test (Powered by Qualys SSL Labs)) and to paste your service URL (that should be apis.live.net), check the used ciphers, compare them to the ones that you setup in your âPCI lockdownâ, and see which ones you can use.
Itâs whatever your Windows version needs for whatever SSL/TLS version it uses after the hint:
:
--allowed-ssl-versions (Flags): Sets allowed SSL versions
This option changes the default SSL versions allowed. This is an advanced
option and should only be used if you want to enhance security or work
around an issue with a particular SSL protocol.
* values: Ssl3, Tls, Tls11, Tls12, SystemDefault, Tls13
* default value: SystemDefault
If that doesnât get you there, then some lower-level network studies can be tried, e.g. in Wireshark.
Below is a sample Client Hello. The Server Hello response picks one, or possibly likes none.
Agree. If the client offers nothing that the server will take (which seems unlikely but maybe possible), connection will not be possible. For a faster test than backup, use Test connection for Destination.