Menu
Is free
check in
the main  /  Navigators / Login failed. Budget planning - electronic budget (certificate entry)

Login failed. Budget planning - electronic budget (certificate entry)

If you encountered a problem at which an error of access to a specific site occurs, a message appears in the browser, there is a reasonable explanation. Causes and ways to eliminate the problem result in this article.

SSL TLS protocol

Users of budget organizations, and not only budget, whose activities are directly related to finance, in cooperation with financial organizations, such as the Ministry of Finance, Treasury, etc., all their operations are carried out exclusively on the SSL protected protocol. Basically, in your work they use Internet Explorer browser. In some cases, Mozilla Firefox.

Error SSL.

The focus, when conducting these operations, and work as a whole, is given to the protection system: certificates, electronic signatures. For work, the cryptopro software is used. Concerning problems with SSL and TLS protocols, if a error SSL. Appeared, most likely there is no support for this protocol.

TLS error

TLS error In many cases, it may also indicate the lack of support for the protocol. But ... let's see what can be done in this case.

SSL and TLS Protocol Support

So, when using Microsoft Internet Explorer, to visit the SSL protected website, the title bar displays Make sure the SSL and TLS protocols are included. First of all, it is necessary to enable support for the TLS 1.0 protocol in Internet Explorer.

If you visit the website on which Internet Information Services 4.0 or higher, Internet Explorer is configured to support TLS 1.0 helps protect your connection. Of course, provided that the remote web server you are trying to use supports this protocol.

To do this in the menu Service Select Team Properties of the Observer.

On the tab Additionally In chapter SafetyMake sure the following flags are selected:

  • Use SSL 2.0.
  • Use SSL 3.0.
  • Use SSL 1.0.

Press the button Apply , and then OK . Restart browser .

After turning on TLS 1.0, try to visit the website again.

System security policy

If still occur errors with SSL and TLSIf you still can't use SSL, a remote web server probably does not support TLS 1.0. In this case, you need to disable the system policy that requires FIPS-compatible algorithms.

To do this, in Control panels Choose Administrationand then double click the icon Local security policy.

In local security settings, expand the node Local politiciansand then click Security parameters.

In accordance with the policy in the right part of the window, double-click System Cryptography: Use FIPS-compatible algorithms for encryption, hashing and signingand then click Disabled.

Attention!

Change enters into force after the reuse of local security policies. Turn it on, restart the browser.

Cryptopro TLS SSL.

Refresh Cryptopro

One of the solutions to the problem is to update cryptopro, as well as a resource setup. In this case, this is working with emails. Navigate to the Certification Center. As a resource, select electronic trading platforms.

After starting the automatic configuration of the workplace, it will remain only wait for completion of the procedure, then reload browser. If you need to enter or select the resource address - choose the desired one. Also, at the end of the setting, it may be necessary to restart the computer.

TLS is a SSL follower, a protocol that gives a reliable and secure connection between nodes on the Internet. It is used in the development of various customers, including browsers and client-server applications. What is TLS in Internet Explorer?

A little about technology

All enterprises and organizations that are engaged in financial transactions use this protocol to eliminate the package listeners and implement unauthorized access by intruders. This technology has been created to protect important compounds from attackers attacks.

Basically, its organization uses a built-in browser. In some cases, Mozilla Firefox.

Enabling and disable protocol

Some sites are sometimes impossible to go out due to the fact that SSL and TLS technology support is disabled. In the browser pops up the appropriate notification. So, how to enable protocols to continue to enjoy a safe connection?
1. Cover the control panel through the start. Another way: to open the explorer and click on the gear icon in the upper right corner.

2. Go to the "Browser Properties" section and open the "Advanced" block.

3. Contain the checkboxes next to "Use TLS 1.1 and TLS 1.2".

4.Click OK to save the changes made. If you want to disable protocols, which is extremely recommended to do, especially if you use Internet banking, remove the marks from the same items.

What is the difference between 1.0 from 1.1 and 1.2? 1.1 is just a slightly improved version of TLS 1.0, which partially inherited its flaws. 1.2 is the most secure version of the protocol. On the other hand, not all sites can open with this included protocol version.

As you know, Messenger Skype is directly related to Internet Explorer as a Windows component. If you are not marked by the TLS protocol in the settings, problems may arise with Skype. The program simply will not be able to connect to the server.

If the Internet Explorer settings disappear supports TLS, all the functions of the network-related program will not work. Moreover, the preservation of your data depends on this technology. Do not neglect her if you fulfill financial operations in this browser (purchases in online stores, transfer money through Internet banking or electronic wallet, etc.).

In October, Google engineers have published information on critical vulnerability in SSL version 3.0received a funny name Poodle Padding Oracle ON DOWNGRADED LEGACY ENCRYPTION or POOD 🙂). Vulnerability allows an attacker to access information encrypted by the SSLV3 protocol using the MAN In The Middle attack. Vulnerabilities are subject to both servers and clients that can be connected via SSLV3 protocol.

In general, the situation is not amazing, because Protocol SSL 3.0, first presented in 1996, was already 18 years old and he was already outdated morally. In most practical tasks, it has already been replaced by the cryptographic protocol TLS.(versions 1.0, 1.1 and 1.2).

To protect against POODLE vulnerabilities, it is recommended completely disable SSLV3 support both on the client side and on the server side And further use only TLS. For users of obsolete software (for example, using IIS 6 on Windows XP), this means that they will no longer be able to view HTTPS pages and use other SSL services. In the event that support for SSLV3 is not completely disconnected, and by default, stronger encryption is used, POODLE vulnerability will still take place. This is due to the peculiarities of choosing and matching the encryption protocol between the client and the server, because When malfunctions are detected in using TLS, an automatic transition to SSL occurs.

We recommend checking all your services that can use SSL / TLS in any form and disable SSLV3 support. You can check your web server for vulnerability using an online test, for example, here: http://poodlebled.com/.

Note. It is necessary to clearly understand that disconnecting SSL V3 at the level of the entire system will only work for software, which uses system APIs for SSL encryption (Internet Explorer, IIS, SQL NLA, RRAS, etc.). Programs that use their own crypto tools (Firefox, Opera, etc.) need to be updated and configured individually.

Turn off SSLV3 in Windows at the system level

In Windows, support support for SSL / TLS protocols is carried out through the registry.

In this example, we will show how completely at the system level (both at the client level and server) disable SSLV3 in Windows Server 2012 R2:

Turn off SSLV2 (Windows 2008 / Server and below)

In the OS preceding Windows 7 / Windows Server 2008 R2, the default is even less secure and outdated protocol SSL V2.It should also be disabled for security reasons (in more recent versions of Windows, SSLV2 at the client level is disabled by default and only SSLV3 and TLS1.0 are used). To disable SSLV2, you need to repeat the procedure described above, only for the registry key SSL 2.0.

In Windows 2008/2012 SSLV2, the default client is disconnected.

Turn on TLS 1.1 and TLS 1.2 in Windows Server 2008 R2 and above

Windows Server 2008 R2 / Windows 7 and above support TLS 1.1 and TLS 1.2 encryption algorithms, but by default, these protocols are disabled. Include Support TLS 1.1 and TLS 1.2 in these versions of Windows, it is possible by a similar scenario


Utility for managing system cryptographic protocols in Windows Server

There is a free IIS Crypto utility that allows you to conveniently manage the cryptographic protocols in Windows Server 2003, 2008 and 2012. With this utility, you can enable or disable any of the encryption protocols in just two clicks.

The program already has several templates that allow you to quickly apply presets for various options for security settings.

Problem

When trying to enter the Personal Cabinet Guis "Electronic Budget", an error message appears:

Could not display this page

Turn on TLS 1.0, TLS 1.1 and TLS 1.2 protocols in the "Advanced Settings" section and try to connect to the https://ssl.budgetplan.minfin.ru. If you cannot eliminate the error, contact the website administrator.

Decision

You must check the workplace settings according to the document.

The instructions are not said about several nuances:

  1. You need to install Cryptopro EDS Browser Plug-in And check it out on the demo page.
  2. It is necessary in the antivirus settings to disable the SSL / TLS protocol filtering, in other words, for the desired site, it should be made to exclude verification of the protected compound. In different antiviruses can be called differently. For example, in Kaspersky FREE you need to go "Setup\u003e Optional\u003e Network\u003e Do not check Protected connections" .

TLS protocol encrypts all kinds of Internet traffic, thereby making safe communication and sale on the Internet. We will tell about how the protocol works and what awaits us in the future.

From the article you will learn:

What is ssl

The SSL or layer of protected sockets was the original protocol name, which was developed by Netscape in the mid-90s. SSL 1.0 has never been publicly affordable, and in version 2.0 there were serious shortcomings. The SSL 3.0 protocol, released in 1996, was completely redone and asked the tone of the next stage of development.

What is TLS.

When the next version of the protocol was released in 1999, it has standardized a special workgroup design of the Internet and gave it a new name: transportation level protection, or TLS. As stated in TLS documentation, "the difference between this protocol and SSL 3.0 is not critical." TLS and SSL form a constantly updated series of protocols, and they are often combined called SSL / TLS.

The TLS protocol encrypts the Internet traffic of any kind. The most common type is web traffic. You know when your browser establishes a TLS connection - if the link in the address bar starts with "HTTPS".

TLS is also used by other applications - for example, in the mail and teleconference systems.

How TLS works

Encryption is necessary to safely communicate on the Internet. If your data is not encrypted, anyone can analyze them and read confidential information.

The safest method of encryption is asymmetric encryption. This requires 2 keys, 1 public and 1 private. These are files with information, most often very large numbers. The mechanism is complex, but if you simply use the public key to encrypt the data, but you need a private key to decipher them. Two keys are associated with a complex mathematical formula, which is difficult to hack.

You can submit a public key as information about the location of the closed mailbox with a hole, and the private key as the key that opens the box. Anyone who knows where the box is, can put a letter there. But to read it, a person needs a key to open the box.

Since complex mathematical calculations are used in asymmetric encryption, there are many computational resources. TLS solves this problem using asymmetric encryption only at the beginning of the session to encrypt communication between the server and the client. The server and the client must agree on a single key of the session, which they will be used to use to encrypt data packets.

The process according to which the client and the server agree on the key of the session is called handshamistry. This is the moment when 2 communicating computers are presented to a friend.

TLS-Handshake

The process of TLS-handshake is quite complicated. Steps below reflect the process in general so that you understand how it works in general.

  1. The client is associated with the server and requests a safe connection. The server responds with a list of ciphers - an algorithmic set to create encrypted connections - which he knows how to use. The client compares the list with his list of supported ciphers, chooses the right one and gives the server to know which they will use together.
  2. The server provides its digital certificate - an electronic document signed by a third party, which confirms the authenticity of the server. The most important information in the certificate is the public key to the cipher. The client confirms the authenticity of the certificate.
  3. Using the server's public key, the client and the server set the session key that they both will be used throughout the entire session to encrypt communication. There are several methods for this. The client can use a public key to encrypt an arbitrary number, which is then sent to the server to decrypt, and both parties then use this number to set the session key.

The session key is valid only during one continuous session. If for some reason communication between the client and the server will interrupt, you will need a new handshake to set a new session key.

TLS 1.2 and TLS 1.2 Protocol Vulnerabilities

TLS 1.2 is the most common version of the protocol. This version has installed an initial platform of session encryption options. However, like some previous versions of the protocol, this protocol allowed to use older encryption techniques to support old computers. Unfortunately, this led to vulnerabilities of version 1.2, since these older encryption mechanisms have become more vulnerable.

For example, the TLS 1.2 protocol has become particularly vulnerable to attacks such as active interference with the connection in which the hacker intercepts the data packets in the middle of the session and sends them after reading or changed them. Many of these problems manifested themselves over the past 2 years, therefore it became necessary to urgently create an updated version of the protocol.

TLS 1.3.

Version 1.3 of the TLS protocol, which will soon be finalized, solves many problems with vulnerabilities because it refuses to support outdated encryption systems.
The new version has compatibility with previous versions: for example, the connection rolls back to the TLS version 1.2, if one of the parties cannot use a newer encryption system in the list of allowed version 1.3 protocol algorithms. However, when attacking the type of active intervention in the connection, if the hacker will forcefully try to roll back the version of the protocol to 1.2 in the middle of the session, this action will be noticed, and the connection will be interrupted.

How to enable support for TLS 1.3 in Google Chrome and Firefox browsers

Firefox and Chrome support TLS 1.3, but this version is not enabled by default. The reason is that it exists so far only in the draft version.

Mozilla Firefox.

Enter about: config in the browser address bar. Confirm that you are aware of the risks.

  1. Firefox settings editor opens.
  2. Enter search in Security.tls.Version.max
  3. Change the value to 4 by making a double click on the current value.



Google Chrome.

  1. Enter Chrome: // Flags / in the browser address bar to open the experiment panel.
  2. Find the option # TLS13-VARIANT
  3. Click on the menu and put Enabled (Draft).
  4. Restart the browser.

How to verify that your browser uses version 1.2

We remind you that version 1.3 is not yet used publicly. If you do not want
Use the draft variant, you can stay on version 1.2.

To verify that your browser uses version 1.2, do the same steps as in the instructions above, and make sure:

  • For Firefox, the value Security.tls.Version.max is 3. If it is below, change it to 3 by making a double click on the current value.
  • For Google Chrome: Click on the browser menu - select Settings - Choose Show Advanced Settings. - go down to the section System. and click on Open Proxy Settings ...:

  • In the window that opens, click on the Security tab and check that the USE TLS 1.2 facility stood a check mark. If you should not - put and click OK:


Changes will enter into force after you restart the computer.

Quick tool for checking the version of the SSL / TLS browser protocol

Go to the online version of the SSL Labs protocol version. The page will show in real time the version used by the version of the protocol, and whether the browser is subject to some vulnerabilities.

Sources: Translation