TLS Issue when attempting to connect to SNow

Ngauthier · ‎03-16-2023

Hello all,

I am currently developing a console application in C# in order to perform small tasks inside of a Service-Now Instance. While originally, this was working well, it seems that now the service-now instance can not longer be accessed by my server or any server on that domain. This is due to the fact that when these devices attempt to perform the TLS handshake, after the Client Hello from our system, the Service-Now instance sends a TCP reset and the connection closes. I have tested this with other instances we own and the issue does not present. All Servers on the domain I am testing from are affected, and there are multiple networks to this domain. The device I am developing the console app on is a MS Server 2019. If I attempt to navigate to the website I get the unsecure/outdated TLS method IE error message. I tried to rend a request with Postman as well without success. I have exported the code and ran it without any issue outside that domain.

My question is, has anyone had this issue before? We are getting the TCP reset from the instance practically immediately. Any more suggested tips for me to troubleshoot? My network guys say they see traffic pass through without issue.

-O- · ‎04-10-2023

No problem.

Good that it worked out in the end.

View solution in original post

Ratnakar7 · ‎03-16-2023

Hi @Ngauthier ,

It sounds like the Service-Now instance is rejecting the TLS handshake from your server due to an issue with the TLS configuration. It's possible that the server is using a TLS version or cipher suite that the instance does not support or has deprecated.

Here are a few steps you can take to troubleshoot the issue:

Check the TLS version and cipher suites supported by the Service-Now instance. You can use a tool like OpenSSL to test this by running the following command:
openssl s_client -connect <service-now-instance-url>:443 -tls1_2 -cipher 'ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH'
This command will attempt to connect to the Service-Now instance using TLS 1.2 and will test all available cipher suites except for those with null or weak encryption. If the connection is successful, you should see the SSL/TLS handshake messages in the terminal. If the connection fails, the output should provide more information about the issue.
Check the TLS version and cipher suites supported by your server. You can use the same OpenSSL command on your server to test this. If your server is using an outdated or deprecated TLS version or cipher suite, you may need to update the configuration.
Check the firewall and network settings for any issues. It's possible that there is a firewall or other network device that is blocking the TLS handshake or causing issues with the connection.
Contact Service-Now support for assistance. They may be able to provide more information about the issue and help you resolve it.

If my response helps you to resolve the issue close the question by ✅Accepting solution and hit 👍thumb icon. From Correct answers others will get benefited in future.

Thanks,

Ratnakar

Ngauthier · ‎03-17-2023

accidentally wrote two replies as they wouldn't show up

Ngauthier · ‎03-17-2023

I did already run a Wireshark on the server and confirm that TLS 1.2 was being used. I even specified it in my console app, if I try a different version of TLS it throws me back a different error.

Would the command you mentioned be a better test for TLS?

I can also confirm that I can ping the instance as well as telnet into it using ports 80 and 443, so traffic IS getting through, just wondering what kind of policy could potentially be blocking the handshake to that specific instance.

I am attempting to get in touch with Service-now to see if they can run a packed capture from the instance's side and see what they recieve/send in regards to that handshake.

-O- · ‎03-20-2023

Do you maybe have a traffic analyzer that proxies TLS traffic and replaces certificates on the console application end (and perhaps that proxy tries to use a TLS version not supported by SN)?