Battle.net SSL/TLS Issues

I recently installed Battle.net App on my desktop (Win 11 Pro). I also have a few IIS websites running on it. I had adjusted the Protocols/Ciphers/Hashes/Key Exchanges settings (w/ Qualys SSL Labs IISCrypto) to disable insecure or weak settings. This had the side effect of preventing the app from connecting to the server. I played around with the settings to realize a few things about the servers. They do support either TLS 1.2 or 1.3, but they seem to be ONLY supporting the hash algorithm SHA-1 and/or weak ciphers based around that and TLS_RSA key exchange. I would like to suggest changing the settings to support more than SHA-1 and the weak ciphers. Leaving the old ones on for backwards compatible with older machines. (I hear you still support Windows 7 machines, which Windows 7 is 1 year (01/14/2020) past end of life.) This way security minded people like me can disable the weak/insecure ciphers and hashes and still connect to the servers and play the games. The only reason not to would be if these ciphers are coded into the app instead of handing them over to operating system, which is bad programming practices.

5 Likes

Just ran into this too, appreciate having another person concerned about it… hopefully they fix in next cycle if possible.

1 Like

I am posting here because I had the exact same thing happen to me and support told me to respond, specifically : " If you have any suggestions or feedback about these SSL requirements though, you can definitely provide that on the Blizzard app forums. You can find a similar discussion on the SSL ciphers here:". TBH I am not sure why the WoW login / Battle.net login still supports TLS 1.0 and 1.1 and not modern ssl ciphers. FWIW, you can disable TLS 1.0 / 1.1 and leave TLS 1.2 enabled, or just use IISCrypto’s best practice template, then tick off TLS 1/1.1

2 Likes

What server(s) are supporting the SHA1 hash algorithm?

I did a quick check against us.battle.net and see TLS1.2 supported for these Cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS|256|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS|128|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS|256|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS|128|

TLS 1.1 does use SHA1 and looks to be there just for legacy.

Perhaps the issue is the client? I briefly looked at the temporary storage and it appears to be using some form of a Chromium-based engine.

I can only assume if the reports are true, the client is trying to connect to other servers that may not be as secure. Does anyone have that information?

1 Like

These ciphers are only used to authenticate against battle.net The actually communication that the client uses is still only SHA-1 based with older TLS.

1 Like

I hope Blizzard support fixes this. Machines with a more strict TLS cipher suite cannot authenticate to battle.net and get the generic BLZBNTBGS80000011 error code. The battle.net servers are not using modern cipher suites as seen on SSLLabs.

So no TLS1.3 and only older ciphers. If you are getting this, checkout this setting on Windows:

Administrative Templates → Network → SSL Configuration Settings → SSL Cipher Suites

You need to add one or both of these to get battle.net to work:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Here’s one with modern cipher suites and more of a full config:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

Please note, this probably only applies to users on corporate machines. If you are a home user, you likely should ignore this as you can mess up your box if you set the wrong cipher suites.

2 Likes

I have confirmed it was SPECIFCALLY cipher suite:
TLS_RSA_WITH_AES_256_CBC_SHA

That i had to add and then perform a REBOOT and it instantly started working!
I used IISCrypto.exe the free exe to do this rather than the group policy edit directly.
(P.S. I didn’t have to mess with my TLS settings, which currently the lowest for me is 1.1)

1 Like

I know this topic is old, but I just hardened my new PC build and I work in IT were security is a main focus.

My hardening broke it and I originally thought it was due to DNSsec and filtering but thankfully once I re-enabled the SHA hash in my registry, everything worked.
HKLM\system\currentcontrolset\control\securityproviders\schannel\hashes