<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#032DFD;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US">Hi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US">Yep, seems to be a fault in the underlying .NET libraries – it should really advertise the newer TLS protocols when making a connection but apparently only advertises 1.0
</span><span style="font-family:"Segoe UI Emoji",sans-serif;color:#032DFD;mso-fareast-language:EN-US">☹</span><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US">Can you try your recommended fix and let us know if it works – adding it here:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}</span>
<o:p></o:p></p>
<p class="MsoNormal"><tt><span style="font-size:12.0pt">[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"</span></tt>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> $client.DownloadFile($downloadURL, $destinationFilePath)</span>
<br>
<br>
<span style="color:#032DFD;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US">If that doesn’t work, can you try:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US">[Net.ServicePointManager]::SecurityProtocol =
</span>[Net.SecurityProtocolType]::TLS12<span style="color:#032DFD;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD">Zak <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#032DFD;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Xymon [mailto:xymon-bounces@xymon.com]
<b>On Behalf Of </b>Jonathan Trott<br>
<b>Sent:</b> Thursday, 7 June 2018 00:17<br>
<b>To:</b> xymon@xymon.com<br>
<b>Subject:</b> [External] Re: [Xymon] How to get Windows Update info from client<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Hi Kris.</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">Nice work on the figuring!</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">Checking the code for xymonclient.ps1 finds this function:</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">function XymonDownloadFromURL([string]$downloadURL, [string]$destinationFilePath)</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">{</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> $downloadURL = $downloadURL.Trim()</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> WriteLog "XymonDownloadFromURL - Downloading $downloadURL to $destinationFilePath"</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> $client = New-Object System.Net.WebClient</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> try</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> {</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> # for self-signed certificates, turn off cert validation</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> # TODO: make this a config option</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> $client.DownloadFile($downloadURL, $destinationFilePath)</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> }</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> catch</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> {</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> WriteLog "Error downloading: $_"</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> return $false</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> }</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"> return $true</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">}</span> <br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">A bit of googling returns the collective knowledge that by default that command only uses TLS 1.0. Seems broken....</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">Apparently you can add the following line to enable more protocols:</span>
<br>
<br>
<tt><span style="font-size:12.0pt">[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"</span></tt>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">So I'll copy in the xymon list so someone more knowledgeable can tell me that I am wrong.</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">Thanks,</span> <br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">JT</span> <br>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> I figured it out! I set my server up to only use TLSv1.2 and apparently</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> the Xymon PS download scripts can't work with v1.2, they need 1.0. When</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> I reduced the TLS level down to allow v1.0 on my server it downloaded</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> the file as expected.</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> </span><br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> Any idea how to allow the Xymon client scripts to work with TLSv1.2?</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> </span><br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> </span><br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> Thank you.</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> ------------------------------------------------</span>
<br>
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">> Kris Springer</span><o:p></o:p></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by
you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement
at https://www.accenture.com/us-en/privacy-policy. <br>
______________________________________________________________________________________<br>
<br>
www.accenture.com<br>
</font>
</body>
</html>