Hi, i was trying to communicate to a SQL Server, and the JDBC client from Ignition throw an exception:
“Windows System event: An unknown connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.” – From Windows Log
I made several test, mostly to locate the problem, and i determined that the communication is using TLS 1.2 for two main reasons:
Is it possible that a low level network application blocks the communication for security reasons? (such as CISCO Umbrella, that has TLS 1.0 and TLS 1.1 as DEPRECATED) Maybe the Ignition JDBC client is trying to use these deprecated protocols and it’s labeled as insecure.
I’m out of options and need desperate help in any way possible. I need this data in my ignition enviroment.
What version of Ignition are you using? What is the error message from the Ignition database connection status?
You have most likely misdiagnosed this, and the problem is that Ignition only supports TLS 1.2 or 1.3, while your instance of SQL Server needs to be upgraded to support TLS 1.2.
Hi Kevin! Thanks a lot for answering.
I’m using Ignition 8.1.18.
The SQL server is Osisoft-PI RTQP (DAS). It’s a .net application that supports TSL 1.2, and i’ve checked the datagrams with Windows Network Monitor. It actually IS using TLS 1.2, sends and receive the “TLS client hello” & “TLS server hello” (to another remote client that it’s not ignition), but with IGNITION, the server never replies back with “TLS server hello”.
AND i have the error message from windows log with ignition. So this actually IS a client side (IGNITION) problem
I saw you have a support ticket open, so you’ll probably just have to continue working with them.
A Wireshark capture to look at the TLS handshake negotiation will probably be useful. I think there was another similar issue to this that was never resolved, and the only difference we could see in captures between Ignition and something else that worked was that Ignition advertised support for both TLS 1.2 and 1.3 in the connection setup, where the other application only advertised TLS 1.2 support, and for some reason that resulted in no response from the server (or an explicit connection close, can’t remember).
Thanks, that may come in handy.
I will add further comments in this post, just in case i make any progress with my problem.
I will also add:
In the captures from the other ticket, in the capture of the successful application, we took note of the cipher suite chosen by the server, and then verified that in the capture of unsuccessful connection attempt by Ignition that the same cipher suite is among those offered as options. That, plus the way the server behaved by just closing the connection, definitely made it look like an issue on the server side.
I think the other customer had reached out to OSI but I’m not sure anything ever happened.
So, after consulting with IT and cybersecurity teams, we got both the server and IGNITION JDBC client for mySQL out of the GPO and domain.
We managed the windows registrys and got it working WITHOUT TLS 1.3. We forced the Ignition application to use TLS 1.2, but actually it uses the highest available option in the OS.
I'll come back after a few more tests