12

A little background information first. I have an SSIS package that runs inside a Windows Server 2003 SP2 32 bit environment. The package recently started failing with the following error during a script task which downloads a webpage using an SSL connection:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Some digging revealed a couple of things: I also could not access the website in question using IE8 from the server (I can with Firefox), and the website had just been issued a new SHA256 certificate.

After doing some research, my current assumption is that the problem is that I don't have support for SHA2 certificates on this server. I grabbed the certificate from the site and ran CertUtil -verify [cert file] which gives the following result:

 The signature of the certificate can not be verified. 0x80096004 (-2146869244)

I found a couple of hotfixes from Microsoft, and from what I understand, either of them should enable support for SHA2 certificates:

So I requested the hotfix for kb968730 and attempted to install it, but got the following error:

The installation cannot continue because the following packages might not be valid:
    KB2616676_V2 c:\windows\system32\dllcache\crypt32.dll 5.131.3790.4905
    KB2616676_V2 c:\windows\system32\crypt32.dll          5.131.3790.4905
Reinstall the packages listed above, and then reinstall KB968730

The version of the crypt32 library that is included with the hotfix is 5.131.3790.4477 which explains why the installer won't proceed.

At this point I'm not quite sure what I need to do. The kb968730 article indicates that crypt32.dll is the only file that is updated by the hotfix which makes me think, since I have a newer version already, shouldn't I already have this functionality? But, it would seem as though I don't, unless I am mistaken about the root cause of the issue.

grin0048
  • 223
  • 1
  • 2
  • 5
  • Have you tried doing what it said and [reinstalling the packages listed above](http://support.microsoft.com/kb/2616676)? – Michael Hampton Jun 20 '14 at 15:28
  • 1
    I have not. I did a little poking around regarding that error message, and it sounds like that is what you'll get if you are attempting to install packages that are older than the ones you already have. – grin0048 Jun 20 '14 at 15:32
  • Google this answer leads to the correct hotfixes, however the *default* hotfix download is for Server 2003 *64-bit*. If you get the error that the file is for a different architecture, click the link to show all languages and versions, and you can download the x86 package. The direct link to the Server 2003 and SBS 2003 32-bit hotfix is http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix262679/3790/free/375510_ENU_i386_zip.exe – degenerate Sep 20 '15 at 03:05
  • This was used to troubleshoot and fix an issue with: https://dps.ws.hmrc.gov.uk/dpsauthentication/service Especially the fact that it doesn't load in IE8 (on most Windows 2003 server machines some of our customers have) – reckface Nov 23 '15 at 14:00

3 Answers3

6

The Crypt32.dll 5.131.3790.5235 version fixes the issue (after a reboot). It is available at http://support2.microsoft.com/kb/2868626

The previously installed version was 5.131.3790.5014 version and it did not fix the issue. According to this post (https://mendel129.wordpress.com/tag/crypt32-dll/), there are two variants of the 5014 version: one from Windows Update (KB2661254, does not work) and another as a QFE (KB968730).

An Phu
  • 176
  • 1
  • 5
3

This problem is solved by installing KB3072630, which is installed automatically if you have Windows Update enabled. The version number of Crypt32.dll is 5.131.3790.5668 after the update.

KB938397 and KB968730 are deprecated and replaced by the update above.

Vinix
  • 31
  • 2
0

I received this error as well. I would go ahead and install the certificate onto the designated server and get this error. My solution was that I had to go ahead and install the root/intermediate cert on each server that called to that specific certificate. This was probably because I had just updated my internal CA.

So if there are X amount of servers that call to that certificate, install it on those servers. That took care of my problem.

  • Although you got the same error message you had a different problem. Your answer does not help enabling SHA2 support on Windows Server 2003. You may be better off finding a question that more closely matches the answer you have. – Ladadadada Sep 28 '16 at 16:26