Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG?]: TLS Security fix for Battle.net not working #489

Closed
3 tasks done
bryandonmarc opened this issue Dec 31, 2024 · 5 comments · Fixed by #494
Closed
3 tasks done

[BUG?]: TLS Security fix for Battle.net not working #489

bryandonmarc opened this issue Dec 31, 2024 · 5 comments · Fixed by #494
Assignees
@HotCakeX
Labels
Bug 🐛 Something isn't working

Comments

@bryandonmarc
Copy link

Tools category

Harden Windows Security Module

Does Your System Meet The Requirements?

  • Yes, I acknowledge that I've read the requirements and my system meets them. 👍

Is your Windows Installation Genuine?

  • Yes, I acknowledge that the installation media of the Windows OS I used the tool on was downloaded from the official Microsoft website and I didn't tamper or modify it. 💯

Did You Read The Frequently Asked Questions?

  • Yes, I've referred to the FAQs and my issue is not covered/explained in there.

Please Explain The Bug

On the TLS Security section, a Battle.net client known issue is linked suggesting a currently non-working fix:

Enable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA"

Running this command in an elevated PowerShell terminal, and re-checking using:

Get-TlsCipherSuite

shows that TLS_RSA_WITH_AES_256_CBC_SHA is still not within the list of cipher suites currently used.

This may be due to the fact that the current TLS Security policies are now applied using the Registry instead of PowerShell cmdlets.

⚠️ Re-running the TLS Security category also won't work in this scenario as the Battle.net client is installed in a different path.

Solution:

To fix this issue, I had to use the Registry Editor and manually go to:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

and modify the Functions value and change the data like so:

TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

appending TLS_RSA_WITH_AES_256_CBC_SHA at the very end.

Now, rerunning Get-TlsCipherSuite gives us the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite at the very end of the list, and the Battle.net client can now finally connect to the internet.

I came to this solution by using a Registry.Pol Viewer and looking at the registry.pol for the Battle.net client.

Environment:

  • Harden-Windows-Security-Module 0.7.0
  • Microsoft Windows 11 IoT Enterprise LTSC
  • Version 24H2 (OS Build 26100.2605)
  • Battle.net client installed on a different path (E:\Battle.net)

Error Details

No response
@bryandonmarc bryandonmarc added the Bug 🐛 Something isn't working label Dec 31, 2024
@bryandonmarc
Copy link
Author

I think a better idea to prevent this issue going forward is to make this into a sub-category that can be easily applied with an additional prompt.

Asking the user if they have Battle.net client installed should be better instead of auto-detecting whether to apply the fix by assuming a fixed installation path.

@HotCakeX
Copy link
Owner

HotCakeX commented Dec 31, 2024
edited
Loading

Hi,
Thanks for creating this detailed issue. You're right, the auto detection won't work if it's installed in an alternative location. For now, i can update the Readme page's link to a page like this issue where people with Battle.net client installed in another location will see how to fix the issue themselves.

Registry key modifications or PowerShell commands won't work since the configurations are applied through Group Policy which reverts them back regularly to keep the system compliant. Group Policy itself should be changed.

The TLS category is in this location

image

You can either set it to Not Configured state or paste the following value in it

TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

it includes this cipher suite required by Battle.net client TLS_RSA_WITH_AES_256_CBC_SHA


I'll see about adding a sub-category for Battle.net client to the module too.

@bryandonmarc
Copy link
Author

Thanks for the very quick response! I've applied this too and works as well.

Also, happy new year! 🥳

@HotCakeX
Copy link
Owner

Anytime,

Happy new year! 🤗

@HotCakeX HotCakeX linked a pull request Jan 2, 2025 that will close this issue
Harden Windows Security v0.7.1 #494
Merged
@HotCakeX HotCakeX mentioned this issue Jan 2, 2025
Merged
HotCakeX added a commit that referenced this issue Jan 2, 2025
@HotCakeX
Added new TLS Sub-category for BattleNet client
eaa4ec0 
Fixed this issue: #489
HotCakeX added a commit that referenced this issue Jan 2, 2025
@HotCakeX
Harden Windows Security v0.7.1 (#494)
3ea3b8d 
During the compliance checking, MDM results that are not used by the module are no longer collected, improving the performance and speed, especially on lower end hardware.

Adjusted the TLS Category's Intune Json config to match the new schema.

Added a new sub-category for the TLS category, called "TLS for BattleNet". When selected, the TLS category will deploy the group policy that has the extra cipher suite TLS_RSA_WITH_AES_256_CBC_SHA which is less secure but required for BattleNet client to connect to its servers. Fixes -> [BUG?]: TLS Security fix for Battle.net not working #489

This means BattleNet client is no longer automatically detected on the system because there are times when it's installed in non-default location. Now the user is in control to decide whether to use the extra cipher suite or not.
WDACConfig module is no longer used/installed for Downloads Defense Measures category. All the necessary logic for policy creation is now implemented natively. This substantially improves the performance and allows for full offline usage of this category and its sub-categories.

This also facilitates the deprecation of the WDACConfig module which is replaced with the new modern AppControl Manager.
@HotCakeX
Copy link
Owner

HotCakeX commented Jan 2, 2025

I just implemented this: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/Hardening-Module-v.0.7.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HotCakeX HotCakeX

Labels
Bug 🐛 Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Harden Windows Security v0.7.1 HotCakeX/Harden-Windows-Security
2 participants
@bryandonmarc @HotCakeX