Search code examples
visual-studiowebdeploy

WebDeploy fails with SSL/TLS error after Visual Studio 2017 15.9 upgrade

I use the built-in Web Publishing in Visual Studio 2017 with Web Deploy to deploy to internal websites. After the 15.9.3 upgrade, web deploy publishing now fails with the error:

---------------------------
Microsoft Visual Studio
---------------------------
Could not complete the request to remote agent URL 'https://[redacted]:8172/msdeploy.axd?site=[redacted]'. 
The request was aborted: Could not create SSL/TLS secure channel.
---------------------------
OK   
---------------------------

This DOES work with the exact same .sln file in Visual Studio 2015, so there is nothing intrinsically wrong with the server setup. The target server is Windows Server 2008 R2. There have been no other updates, etc.

So, what gives? How can I re-enable web deploy

Solution

  • Based on @PanagiotisKanavos, the problem was enabling TLS 1.1 & TLS 1.2 for Windows Server 2008 R2. It appears the built-in Web Deploy as part of Visual Studio 2017 15.9.x upgrade no longer supported the now-outdated SSL 2.0.

    In the end I followed the instructions for KB3140245, which included both an update and setting registry values (also immediately below, copied from that answer). 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

    I also applied these registry keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

    I probably went heavy-handed, so the above entries may not be required.