SSL/TLS and NGS CORS – Support Note

[This post is a duplicate of one that will also soon exist on community.trimble.com.]

Background

In September 2018, NGS CORS changed the security protocol requirements for applications attempting to download base station files from their servers via HTTPS. Applications are now required to be using one of the latest SSL/TLS protocols or attempts to download base station files will fail. Users of GPS Pathfinder Office or Trimble Positions Desktop add-in may start receiving errors when attempting to download base station files from NGS CORS base stations if the most recent protocols are not available or enabled on their desktop computer. Error messages may include the text “Could not create SSL/TLS secure channel.”

Although base station files can still be downloaded manually through the browser and used for post-processing in both GPS Pathfinder Office and Trimble Positions Desktop add-in, we recognize that this workaround is cumbersome and not appropriate for all users. Solutions for users of both Trimble desktop products are described below.

Older operating systems (Windows Vista/Windows Server 2008 and older) will not support the latest SSL/TLS protocols as per this article from Microsoft.

Solution for Trimble Positions Desktop add-in Users

Trimble Positions Desktop add-in uses Microsoft .NET Framework components for all web (FTP, HTTP, HTTPS) operations. As such, behavior is dependent on the combination of .NET Framework versions that the user has installed on the desktop as well as the version that the Trimble Positions Desktop add-in targets when compiled. For full compatibility back through ArcGIS Desktop 10.1, the add-in only targets .NET Framework 4.0. Unfortunately, default behavior for HTTPS operations in older .NET Framework versions does not include the latest SSL/TLS protocols.

In order to properly resolve this, we will be providing a new version of Trimble Positions Desktop add-in (expected to be released as 10.6.1.1). In the interim, the following workaround can be used.

Interim Workaround

  1. Confirm that you have a recent .NET Framework version (>= 4.7) installed on your desktop computer. Note: this will be added as a prerequisite in the forthcoming version of Trimble Positions Desktop add-in.
  2. Add the following registry key to force .NET Framework 4.0 applications to use a more recent TLS protocol when performing https operations. This is a “DWORD (32-bit)” value of “1”.
    For 64-bit Windows:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001

    For 32-bit Windows:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001  
  3. Restart the desktop computer and confirm proper base station file download behavior in Trimble Positions Desktop add-in.
  4. Verify https behavior in any other .NET Framework applications on the desktop computer (the registry change is safe as per Microsoft but will affect other .NET Framework applications).

Please refer to this Microsoft documentation for a detailed description of .NET Framework behavior in this area. A .reg file can also be downloaded from there although it contains 2 additional registry changes which are not required here.

Solution for GPS Pathfinder Office Users

GPS Pathfinder Office uses Windows operating system components to facilitate the access and download of base station files. To check whether your operating system is capable of using the latest SSL/TLS protocol, follow these steps:

  1. Open up Internet Explorer.
  2. Click on the Tools button.
  3. Select Internet Options.
  4. Select the Advanced tab.
  5. Scroll down to the Security section, and ensure ‘Use TLS 1.2’ is checked.

Once this option is checked close Internet Explorer. Now GPS Pathfinder Office should be able to download base station files from NGS CORS stations.

If the TLS 1.2 option is not available we recommend updating to the latest version of Internet Explorer and then checking again. If TLS 1.2 is still not available we recommend following the instructions published by Microsoft here.

This entry was posted in How To, Known Issues. Bookmark the permalink.