No data appears after disabling TLS 1.0

Problem

No data appears in New Relic after disabling TLS 1.0. You checked if TLS 1.0 is disabled by inspecting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

TLS 1.0 is disabled if "Enabled" is set to 0 and "DisabledByDefault" is set to 1.

Also, you also may have noticed an error message in the New Relic Agent logs due to this problem; for example:

  • NewRelic ERROR: Unable to connect to the New Relic service at collector.newrelic.com:443 : System.Net.WebException: 
    The request was aborted: Could not create SSL/TLS secure channel.
  • NewRelic ERROR: Unable to connect to the New Relic service at collector.newrelic.com:443 : System.Net.WebException: 
    The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: 
    Received an unexpected EOF or 0 bytes from the transport stream.
  • NewRelic ERROR: Unable to connect to the New Relic service at collector.newrelic.com:443 : System.Net.WebException: 
    The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: 
    The client and server cannot communicate, because they do not possess a common algorithm.

Solution

The New Relic .NET agent requires at least one version of TLS to be enabled. For TLS 1.1/1.2 it also requires .NET to be configured to use it.

If you set a TLS version as default, it will be used by both the application and the New Relic agent. You cannot use a different TLS version for each.

To enable a specific TLS version protocol:

Step 1. Enable TLS protocols in Windows registry.

Older versions of Windows Server (2008/2012) may not have TLS 1.1/1.2 support enabled by default.

Follow these steps carefully. Serious problems may occur if you modify the registry incorrectly. Recommendation: Before you modify the registry, make a backup.

Here's an example of how to update Windows registry to TLS 1.2. This requires TLS to be enabled for the Client role, because your server is connecting as a client to New Relic.

  1. Copy and paste the following into a file:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    
  2. Save the file with a .reg extension.
  3. Run the script.
Step 2. Turn on .NET default protocols

.NET Frameworks 4.5 or lower use protocols SSL v3 and TLS 1.0 by default.

After you enabled TLS 1.1 or 1.2 via the registry, you still need to change the default protocols used by .NET.

Choose one of the following options:

Enable strong crypto property in Windows registry

Follow these steps carefully. Serious problems may occur if you modify the registry incorrectly. Recommendation: Before you modify the registry, make a backup.

Adding the SchUseStrongCrypto value to the .NET Framework registry keys will allow all .NET apps to use TLS 1.1 or 1.2. Both regkeys will need to be modified to ensure that both 32bit and 64bit .NET applications are able to use TLS 1.1/1.2.

  1. Copy and paste the following into a file:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] 
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
  2. Save the file with a .reg extension.
  3. Run the script.
Include protocol in your app code

You can change .NET's default security protocols by modifying your application's source code. The following command enables TLS 1.2, 1.1, and 1.0 as default protocols for your application. It's a global setting and should be set early in your application's start-up. You can modify it to enable the specific protocols you want.

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Cause

If you require a specific version of TLS for external HTTP requests, then you must make sure your application and server are configured correctly. Not having proper configuration can lead to the New Relic .NET agent not being able to connect to New Relic.

New Relic's .NET agent communicates with New Relic servers using standard classes available with .NET for making external HTTP requests. Because the .NET agent code runs alongside your application code, the security protocols used for communicating with New Relic servers depend on your application's environment and configuration.

For more information on correctly configuring your system or application's TLS settings depending on your version of the .NET Framework, review Microsoft's documentation on (TLS) best practices.

For more help

Recommendations for learning more: