Troubleshoot Win HTTP 12175 

The Win HTTP 12175 error is encountered primarily due to SSL handshake failure, and it can fail due to the following three reasons:

• Not all certificates required for successful agent communication are installed within the Trusted CA under the local computer account. For details, see Certificates.

• The necessary support for TLSv1.2 communication is missing on the host system. The Qualys cloud agent requires TLSv1.2 support for communication. For details, see TLS Support.

• Supported cipher suites are not enabled on the impacted host system. For details, see Cipher Suites Support.

Certificates

Error 12175 - The function is unfamiliar with the Certificate Authority that generated the server's certificate

Cause

The issue may occur due to one of the following reasons:

• Proxy not allowing Qualys certificate.

• The system does not trust Qualys's certificate.

This error is related to CA public certificate chain failure. In general, the certificate is available on standard public root-signed certs that are on OS. However, some users manage certificate stores by themselves for their hosts and do not allow CA public certificates. In other scenario, if a proxy is being used, the proxy may not allow the cert through or use the wrong SSL/TLS version. In this case, the following entries can be found in the Cloud Agent log file:

1/21/2016 13:04:01.0074 Error: WinHttp Security Failure: 
The function is unfamiliar with the Certificate Authority that generated the server's certificate.
11/21/2016 13:04:01.0074 Error: Failed to send request to web service: (Error: 12175)
11/21/2016 13:04:01.0074 Error: CommRequest() failed to Provision with error: 12175."

Solution

If Proxy servers are being used, there may be an issue with a proxy that is not allowing the certificate through or using the wrong SSL/TLS version. If this is the case, try to provide a direct connection and check if it works. If it works with a direct connection, then contact the team responsible for managing the proxy and have them check the problem.

If the proxy is not being used, the issue may occur if the system does not trust Qualys's certificate. One of the common scenarios noticed is when the user has turned OFF the certificate store of the system.

In this case, the Qualys certificate needs to be downloaded (specific to the POD, for example, https://qagpublic.qg1.apps.qualys.com for US Platform1) and installed in the local system cert store and not the browser.

Please download and install the root and intermediate certificates on the target host concerned.

Download Qualys Certificate 

To download the Qualys certificate, perform the following steps:

1. Browse to your Cloud Agent Server Platform URL. For the list of Cloud Agent Server refer to https://www.qualys.com/platformidentification/.

2. Click View Site Information.

   

3. Navigate to Connection is secure > Certificate is valid > Details.

   

   

   

4. Click Export.

Import Qualys Certificate 

To import the certificate, perform the following steps:

Add the Certificates snap-in to an MMC for a computer account.

Ensure that you select Computer Account and not User Account.

1. Click Start, type mmc in the Search programs and files box, and then press ENTER.

2. In the Console, click File menu > Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box > Available snap-ins, double-click Certificates.

4. Select Computer account, and then click Next.

5. To manage certificates for the local computer, click Local computer, and then click Finish.

Import Certificates

1. In the console tree, double-click Certificates.

2. Right-click the Trusted Root Certification Authorities store.

3. Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

4. Right-click the Intermediate Certification Authorities store.

5. Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Once the certificates are installed, please stop, and start the agent service to reset the connection. If you still see the same error, then refer to TLS Support.

TLS Support 

Ensure that TLSv1.2 or later is enabled on client machines to communicate with Qualys Cloud Platform.

Cloud Agent for Windows uses cryptographic protocol support provided by the Windows operating system. Older Windows operating systems (including Windows XP, Embedded Standard, Server 2003/SP2, Server 2008/SP1/SP2, and potentially others if explicitly configured) do not have TLS 1.2 support on the operating system for Cloud Agent to use.

For more information, refer to Deprecating TLSv1.0 and TLSv1.1.

Cipher Suites Support 

Many legacy systems are not equipped with the cipher suites that are currently supported by the Qualys Cloud Agent service.The following image displays the current ciphers that are currently supported by an example platform.

Leverage the Qualys Shared Platform URLs list using the SSLLABS tool to ensure your machine can communicate using the platform's available cipher suites. For more information, see https://ssllabs.com.

Check the following location for current cipher suites enabled on the Windows system: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers 

Note: A system reboot is required for new ciphers enabled to take effect. Sometimes, group policies impact the ciphers being used. It is advised to take a PCAP capture to look for the SSL failure reason. For details on how to take a PCAP, see Capture Network Traffic