Details of the scenario you tried and the problem that is occurring
I need to disable TLS 1.1. for incoming connections, but continue to allow outbound TLS 1.1 connections. The configuration appears to set the registry keys correctly as seen in this screenshot:
But when I run Test-DscConfiguration -Detailed my Protocol resource is showing as not being in the desired state.
Verbose logs showing the problem
VERBOSE: [CUSESO-DWAPB01]: LCM: [ Start Resource ] [[Protocol]Disable_TLS_1_1]
VERBOSE: [CUSESO-DWAPB01]: LCM: [ Start Test ] [[Protocol]Disable_TLS_1_1]
VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Testing configuration for protocol TLS 1.1
VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Getting configuration for protocol TLS 1.1
VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Current Values: IncludeClientSide=True; Protocol=TLS 1.1; State=Disabled
VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Target Values: IncludeClientSide=False; Protocol=TLS 1.1; State=Disabled; Verbose=True
VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Protocol TLS 1.1 not compliant.
VERBOSE: [CUSESO-DWAPB01]: LCM: [ End Test ] [[Protocol]Disable_TLS_1_1] False in 0.1720 seconds.
VERBOSE: [CUSESO-DWAPB01]: LCM: [ End Resource ] [[Protocol]Disable_TLS_1_1]
Suggested solution to the issue
It looks like a bug in the Get-TargetResource method of the Protocol resource. I think it would just be a matter of initializing the $clientSide variable to $false instead of $true in MSFT_Protocol.psm1 on line 57.
The DSC configuration that is used to reproduce the issue (as detailed as possible)
Details of the scenario you tried and the problem that is occurring
I need to disable TLS 1.1. for incoming connections, but continue to allow outbound TLS 1.1 connections. The configuration appears to set the registry keys correctly as seen in this screenshot:
But when I run
Test-DscConfiguration -Detailed
my Protocol resource is showing as not being in the desired state.Verbose logs showing the problem
VERBOSE: [CUSESO-DWAPB01]: LCM: [ Start Resource ] [[Protocol]Disable_TLS_1_1] VERBOSE: [CUSESO-DWAPB01]: LCM: [ Start Test ] [[Protocol]Disable_TLS_1_1] VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Testing configuration for protocol TLS 1.1 VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Getting configuration for protocol TLS 1.1 VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Current Values: IncludeClientSide=True; Protocol=TLS 1.1; State=Disabled VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Target Values: IncludeClientSide=False; Protocol=TLS 1.1; State=Disabled; Verbose=True VERBOSE: [CUSESO-DWAPB01]: [[Protocol]Disable_TLS_1_1] Protocol TLS 1.1 not compliant. VERBOSE: [CUSESO-DWAPB01]: LCM: [ End Test ] [[Protocol]Disable_TLS_1_1] False in 0.1720 seconds. VERBOSE: [CUSESO-DWAPB01]: LCM: [ End Resource ] [[Protocol]Disable_TLS_1_1]
Suggested solution to the issue
It looks like a bug in the Get-TargetResource method of the Protocol resource. I think it would just be a matter of initializing the $clientSide variable to $false instead of $true in MSFT_Protocol.psm1 on line 57.
The DSC configuration that is used to reproduce the issue (as detailed as possible)
The operating system the target node is running
OsName : Microsoft Windows Server 2019 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsVersion : 1809 WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 OsLanguage : en-US OsMuiLanguages : {en-US}
Version of Windows that is used (e.g. Windows Server 2016)
Windows Server 2019
Version and build of PowerShell the target node is running
PSVersion 5.1.17763.1490
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1490
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
1.2.2