search

simeononsecurity / Windows-Optimize-Harden-Debloat

Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense STIG/SRG requirements for optimal performance and security.
https://simeononsecurity.com/github/optimizing-and-hardening-windows10-deployments/
MIT License
1.18k stars 83 forks source link

This completely broke my Chocolatey installation #67

Closed SkullHex2 closed 1 year ago

SkullHex2 commented 1 year ago

Describe the bug Ever since I run this, Chocolatey doesn't work anymore. The error message is

Unable to load the service index for source https://community.chocolatey.org/api/v2/.
The request was aborted: Could not create SSL/TLS secure channel.

I know you're not Chocolatey's developer or anything, but maybe you have some idea as to what caused this. I think it's also important for future reference.

To Reproduce Steps to reproduce the behavior:

  1. Run .\sos-optimize-windows.ps1 -firefox:$False -onedrive:$False -windows:$False (most likely, the additional arguments aren't needed)
  2. Reboot
  3. Run choco upgrade all

Expected behavior This is the expected behavior, to some extent at least. Upon further inspection, Chocolatey's message doesn't really make sense as it relies on TLS 1.2, and this script should only disable SSL.

Additional context I'll also submit an issue in Chocolatey's repository.

github-actions[bot] commented 1 year ago

Message that will be displayed on users' first issue

simeononsecurity commented 1 year ago

@SkullHex2 that leaves the sslhardening still enabled, which doesn't affect tls v1.2. In fact, it specifically enables it.

https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat/blob/1bd1594e5229ccfa8af9bce78679b9fc28bdc9ae/sos-optimize-windows.ps1#L956

Anything you don't set to false, is true by default as mentioned in the readme.

I was unable to recreate your issue on our primary test machine. I was able to recreate it on a vanilla system.

Try these commands to see if they work for you.

    choco feature enable -n=allowGlobalConfirmation
    choco feature enable -n=useFipsCompliantChecksums
    choco feature enable -n=useEnhancedExitCodes
    choco feature disable -n=checksumFiles #Fipsmode implementation is currently broken for some packages
    choco config set commandExecutionTimeoutSeconds 14400

Otherwise, be sure you reboot, maybe try running the script again.

SkullHex2 commented 1 year ago

First of all, thank you for getting back to me so soon. I know the command I'm running does not disable SSL hardening, but that should be fine as Chocolatey works by default with TLS (I think). I run the commands you posted and rebooted, unfortunately the problem is still there. What else could be causing this?

if it helps, I can share with you Chocolatey's log

in any case, I've also submitted an issue in chocolatey/choco

simeononsecurity commented 1 year ago

There isn't anything immediately apparent that would break it from what we can tell. We can deep dive into it further in the coming weeks. However, I suggest you try running the windows hardening and see if that works for you. @SkullHex2 As always, it's best to test things on a test system or vm before running in production.

Unfortunately, when we create these scripts it's impossible to test every combination. We test the script with all true and also without any of the STIG configurations, and we haven't run into this issue specifically.

SkullHex2 commented 1 year ago

There isn't anything immediately apparent that would break it from what we can tell. We can deep dive into it further in the coming weeks. However, I suggest you try running the windows hardening and see if that works for you. @SkullHex2 As always, it's best to test things on a test system or vm before running in production.

Sorry, I can't do that because the Windows hardening disables the sleep function, and that is completely unacceptable for a laptop. I had created a restore point just before running the script, but it doesn't work for this specific issue. Thank you anyway.

simeononsecurity commented 1 year ago

There isn't anything immediately apparent that would break it from what we can tell. We can deep dive into it further in the coming weeks. However, I suggest you try running the windows hardening and see if that works for you. @SkullHex2 As always, it's best to test things on a test system or vm before running in production.

Sorry, I can't do that because the Windows hardening disables the sleep function, and that is completely unacceptable for a laptop. I had created a restore point just before running the script, but it doesn't work for this specific issue. Thank you anyway.

Then reenable sleep? That option is available in the power options. There are a few different ways you can fix that.

SkullHex2 commented 1 year ago

Here are the registry keys you need to delete if you want to fix Chocolatey:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client

Thanks to pauby from the Chocolatey's repository.

simeononsecurity commented 1 year ago

Here are the registry keys you need to delete if you want to fix Chocolatey:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client

Thanks to pauby from the Chocolatey's repository.

Actually based on this knowledge, the issue isn't those lines specifically. It is encryption algos that get enabled and preferred over over less secure ones when 1.3 is enabled.

This is fixed by some of the settings enabled in the windows hardening.

However the issue here is on chocolatey's end.

https://github.com/chocolatey/choco/issues/3222#issuecomment-1616354536

It seems that chocolatey servers do not support strong cipher sets for TLS/SSL.

The Windows 10/11 hardened system uses:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Chocolatey servers use:
RSASSA-PSS with SHA-256
RSASSA-PSS with SHA-384
RSASSA-PSS with SHA-512
RSASSA-PKCS1-v1_5 with SHA-256
RSASSA-PKCS1-v1_5 with SHA-384
RSASSA-PKCS1-v1_5 with SHA-1
ECDSA with SHA-256
ECDSA with SHA-384
ECDSA with SHA-1
DSA with SHA-1
RSASSA-PKCS1-v1_5 with SHA-512
ECDSA with SHA-512
Windos commented 1 year ago

It seems that chocolatey servers do not support strong cipher sets for TLS/SSL.

Just to be clear, that comparison is not accurate. The first list is a list of cipher suites and it's being compared to a list of signature algorithms.

For a better view of the cipher suites supported by the Chocolatey Community Repository, I would refer to SSL Labs: SSL Report: community.chocolatey.org

image