How to resolve BCP error "SSL Provider: An existing connection was forcibly closed by the remote host" while refreshing caches from older windows versions ?

How to resolve BCP error "SSL Provider: An existing connection was forcibly closed by the remote host" while refreshing caches from older windows versions ?

book

Article ID: KB0071326

calendar_today

Updated On:

Products Versions
TIBCO Data Virtualization -

Description

TDV Server is not able to refresh the cache when configured to a Microsoft SQL Server database 2016 or 2019 and TDV server is hosted on an older version of Windows such as Windows Server 2012.  In TDV Server's cs_server.log an error similar to this one can be observed:

SQLState = 08001, NativeError = 10054
Error = [Microsoft][ODBC Driver 13 for SQL Server]SSL Provider: An existing connection was forcibly closed by the remote host.

 

Issue/Introduction

Windows Server 2012 R2 hosted TDV Server cannot connect using a secure connection to a Windows Server 2016 or greater

Resolution

This error happens because the remote host (the machine where the MS SQL Server instance is hosted) closes the SSL connection from the TDV Server.

This can happen for several reasons (Such as firewall, port scanners) , but in this particular scenario the issue comes from a well documented issue between Windows 2012 R2 and Windows server 2016/2019 (or later versions of SQL Server).

Machines running with Windows Server 2012 R2 with updates released on Feb 25th or later updates installed, contains a leading zero update. Meanwhile, all Windows versions that released before that don't contain the leading zero updates.

The TLS client and server need to calculate keys exactly the same way otherwise they get different results. TLS connections randomly fail if leading zeros are computed differently by the TLS client and TLS Servers.

When a Diffie-Hellman key exchange group has leading zeros, unpatched computers may incorrectly compute the mac by not accounting for the padded zeros. This issue is typically seen when interacting with non-Windows-based crypto implementations and can cause intermittent negotiation failures.

The error messages are returned when the secure TLS handshake is negotiated between the client and the server by using TLS_DHE cipher suite.

The TDV Server machine is running Windows 2012 R2 while the MSSQL Server machine is running Windows Server 2016.

There are 2 resolutions for this: 
1. Update the Windows 2012 R2 machine to a Windows Server 2016 or later .

2. Disable the TLS_DHE ciphers in the Windows Server 2012 machine, please use one of this two methods: 

1. Using Group Policy

TLS_DHE_* ciphers can be disabled by using Group Policy. Refer to Prioritizing Schannel Cipher Suites to configure the "SSL Cipher Suite Order" group policy.
Policy URL: Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings
Policy Setting: SSL Cipher Suite Order setting.

2. Using a PowerShell script

foreach ($CipherSuite in $(Get-TlsCipherSuite).Name)
{
    if ( $CipherSuite.substring(0,7) -eq "TLS_DHE" )
    {
       "Disabling cipher suite: " + $CipherSuite
       Disable-TlsCipherSuite -Name $CipherSuite
    }
    else
    {
        "Existing enabled cipher suite will remain enabled: " + $CipherSuite
    }
}

 

Additional Information

https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/apps-forcibly-closed-tls-connection-errors