When trying to connect to the site https://app.asana.com/api/1.0/ or generally https://app.asana.com/ on Windows Server 2012 R2 (which does not support TLS 1.3), I’m getting the error “The request was aborted: Could not create SSL/TLS secure channel.”
Recently, we were still using win2012R2 too, without trouble, but we need to add that line in dotnet code and the equivalient in powershell scripts.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Also, I think we also had to set a few registry keys to disable old procols, not sure.
But, a few weeks ago, we decided it was time to update, as we start getting troubles connecting other services, like Mailchimp, and some Asasa-like products we also connect in ours (Bridge24). For Mailchimp, we were absolutely unable to call them from 2012 r2, we never found any solution and had to install a temporary proxy, waiting for our server upgrade!
So we finally moved from win2012r2 to 2022 (aws ec2 instance)
TLS 1.2 is still supported but we recently rolled out a new CDN which limits the TLS ciphers we support. [Change] Infrastructure (CDN) rollout and potential new 400 & 403 errors
This is the page which lists the supported ciphers: Supported protocols and ciphers between viewers and CloudFront - Amazon CloudFront
Apologies, I’m not too familiar with Windows Server, but there might be a way to configure preferred ciphers? This might not be relevant, but something I found: Manage Transport Layer Security (TLS) in Windows | Microsoft Learn
Yep, that’s it!
Temporarily using https://deprecated-api.asana.com/api/1.0 fixes the problem.
If you encounter a critical problem during the January 2024 rollout, you can temporarily make requests to https://deprecated-api.asana.com/api/1.0 to route requests to our older infrastructure. We intend to remove this option on March 1, 2024.
Now I will try to find out how to solve the problem eventually. Thanks.
Do you know how the temporary proxy was installed or what tool/library you used to accomplish this? Also having issues with win2012r2 and Asana oauth and I can’t find any solution for it. Tried changing registry values and everything.
Yes I know, because I did
In fact, there’s no magic, we quickly code something on another server more recent.
We asked server2 (win2016) to call mailchimp on our behalf, we coded something very quickly, waiting for time to install a new win 2022 server.
For a time, server 2012r2 was calling server 2016, which was calling mailchimp and other services affected by tls 1.2 issue / deprecation.
I suppose that if we did not do that in time, we would also get issue with asana oauth today.
After a lot of trial-and-error and despite the IIS Cryto’s “Best Practice” template, we had to allow the following Ciphers:
Without those 2 Asana was blocking our API connections.