Server enforcing TLS 1.2 can't host seb-files for Windows

[Krisell]

Description I have encountered some weird behavior and I think I have tracked down the cause. seb-files hosted on an server which enforces TLS 1.2 doesn't work on SEB for Windows. When following an sebs://-link, the error message "Opening the SEB link failed. Check your internet connection and try again" is shown.

Steps to Reproduce Host an seb-file on a server which enforces TLS 1.2.

Here's the exact same settings file (default SEB settings), hosted on two identical servers except that one of them enforces TLS 1.2 sebs://tls-12.azurewebsites.net/default.seb sebs://tls-11.azurewebsites.net/default.seb

I'm not sure for how long I'll be able to keep these domains, so please tell me if you find other ways to reproduce the issue.

Expected Behavior SEB can handle TLS 1.2 connections.

Version Information

• Windows 10 Home 1903, Windows Pro 1803
• SEB 2.3

Additional Context The SEB log file mentions the same error message as here: https://stackoverflow.com/questions/34808830/tls-1-2-error-with-c-sharp-net-the-underlying-connection-was-closed-an-unexp

[danschlet]

Did you check if TLS 1.2 connections work for regular web pages? Or is it only a problem when downloading an .seb file?

[Krisell]

Here's an SEB file which is served under TLS 1.1 but uses a start-URL at a TLS 1.2-server:

sebs://tls-11.azurewebsites.net/tls12.seb

The start-URL is https://tls-12.azurewebsites.net/index.html

This works without problem. I also added a link to download a normal file from the TLS 1.2-server at this start-url, and this also works.

My guess is the problem is the initial downloading of the settings file, not the fact that it is an SEB-file. I can check with configuring my SEB-client without lockdown and then try to reconfigure using a TLS 1.2-file.

[danschlet]

Ok, so I guess it’s not a problem of the embedded SEB Firefox browser, but the .NET method which is downloading the .seb file when SEB is started using a sebs:// link. Should hopefully be easy to fix using some configuration property.

[Krisell]

Yes, I can now confirm that configuring the client to use https://tls-12.azurewebsites.net as the start URL works fine, and then clicking the link to load exam settings from seb://tls-12.azurewebsites.net/default.seb (which doesn't work when used from outside) works great. A white pop-up windows is shown briefly but I'm guessing that's normal (I have no experience with configured clients and then loading exam settings).

[benjaminwols]

Are there any updates on this? SSLLabs caps servers with TLS 1.0 and 1.1 to B grade (https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols) We no have to instruct students to download the config first and then click on the config file to open SEB .

[danschlet]

We are now actively working on the next SEB 2.4 update, where we will fix this issue. Currently SEB 2.4 is scheduled to be released until end of this month (Q1 2020), but I guess we will only have the final preview/beta build until then, testing/bug fixing for the final release might take a few weeks more.

You can test it with the almost finished current developer build of SEB 3.0 as well:

You can find the automated builds via the GitHub repository, see https://github.com/SafeExamBrowser/seb-win-refactoring. SEB 3.x comes in x86 and x64 builds, thus you’ll either need to navigate to the respective platform on the build server, or simply use the setup bundle (which automatically installs the correct build for a platform, including all required dependencies like the .NET framework and C++ runtime). The setup bundle can be found under the x86 platform build.

So to find the download link, click on the "Platform: x86" link and then on the "Artifacts" link on the right.

[danschlet]

Yesterday we released a feature-complete beta version of SEB 2.4, where I hope we fixed the TLS 1.2 issue. Can you please test if sebs links to servers using TLS 1.2 work with it? The test links mentioned above don't seem to work anymore.

[Krisell]

I just made some tests and can confirm that a TLS 1.2 sebs://-link which does not work in SEB 2.3, does load without issue in 2.4 and 3.0.

Great work!