Internet Windows Android
Expand
home

Assistance in setting up cryptographic programs for working with the Portal of electronic invoices. Help in setting up cryptographic programs for working with the Electronic Invoice Portal Error when trying to connect to the tls server

If you're experiencing an issue where access to a specific site fails and a message appears in your browser, there's a reasonable explanation for this. The causes and solutions to the problem are given in this article.

SSL TLS protocol

Users of budgetary organizations, and not only budgetary ones, whose activities are directly related to finance, in cooperation with financial organizations, for example, the Ministry of Finance, the Treasury, etc., carry out all their operations exclusively using the secure SSL protocol. Basically, in their work they use the Internet Explorer browser. In some cases, Mozilla Firefox.

SSL error

The main attention, when carrying out these operations, and the work in general, is given to the protection system: certificates, electronic signatures. For work, the CryptoPro software of the current version is used. Concerning issues with SSL and TLS protocols, if SSL error appeared, most likely there is no support for this protocol.

TLS error

TLS error in many cases it can also indicate the lack of support for the protocol. But ... let's see what can be done in this case.

Support for SSL and TLS protocols

So, when using Microsoft Internet Explorer to visit a website over SSL, the title bar shows Make sure ssl and tls are enabled. First of all, you need to enable support for the TLS 1.0 protocol in Internet Explorer.

If you are visiting a website that is running Internet Information Services 4.0 or later, configuring Internet Explorer to support TLS 1.0 helps secure your connection. Of course, provided that the remote web server you are trying to use supports this protocol.

To do this, the menu Service select a team Internet Options.

On the tab Additionally in section Security, make sure the following checkboxes are selected:

  • Use SSL 2.0
  • Use SSL 3.0
  • Use SSL 1.0

Click the button Apply , and then OK . Restart your browser .

After enabling TLS 1.0, try visiting the website again.

System Security Policy

If there are still errors with SSL and TLS if you still can't use SSL, the remote web server probably doesn't support TLS 1.0. In this case, you must disable the system policy that requires FIPS-compliant algorithms.

To do this, in Control panels select Administration, and then double-click Local Security Policy.

In local security settings, expand node Local Policies, and then click the button Security Options.

According to the policy on the right side of the window, double click System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click the button Disabled.

Attention!

The change takes effect after the local security policy is reapplied. Turn it on, restart your browser.

CryptoPro TLS SSL

Update CryptoPro

One of the options for solving the problem is updating CryptoPro, as well as setting up a resource. In this case, it is work with electronic payments. Go to Certification Authority. For the resource, select E-Marketplaces.

After starting the automatic workplace setup, there will be only wait for the procedure to complete, then restart browser. If you need to enter or select a resource address, choose the one you need. You may also need to restart your computer after the setup is complete.

Authorization on the Portal is possible with a valid public key certificate obtained in the public key infrastructures of the certification center RUE "Information and Publishing Center for Taxes and Duties" (hereinafter - RUE IIC) or in the Republican Certification Center of the State Public Key Management System for verifying the electronic digital signature of the Republic of Belarus (hereinafter - RTC GosSUOK).

Make sure that you have a disk with up-to-date software and a carrier of key information, the so-called. key (for example, AvPass, AvToken, AvBign).

To work with the e-invoicing portal you need:

Open the system properties view: Right-click on the shortcut Computer (My Computer) - Properties.

Look at how the properties of the operating system look like:

The build year must match the actual release year of the operating system, for example:

  • for Windows XP - 2002
  • for Windows 7 - 2009 etc.

There should not be any extraneous pictures, except for the Windows logo (on pre-installed systems from well-known computer manufacturers, manufacturer logos and / or activation information may also be present).

Common builds that can cause problems: ZverCD, ZverDVD, PiterPen, Goletsa, etc.

Operation of cryptographic components on such assemblies is not guaranteed.

Subscriber package includes:

  • Crypto provider Avest CSP 6.3.0.791;
  • Crypto provider Avest CSP Bel 6.3.0.791;
  • Personal certificate manager 4.0.6;
  • Plugin AvCMXWebP 1.1.8;
  • AvJCEProv 1.3.1;

ATTENTION! If this cryptographic software is not installed on the user's PC, then the operation of the entire functionality of the portal and web service is not guaranteed!

The software, which includes a subscriber kit with the appropriate settings for the RUE IIC or RTC GosSUOK infrastructure and a personal certificate of the organization, is distributed on a CD. The certificate is usually issued for a number of years, so the software provided on the disc may become obsolete over time. At the moment, the current version of the crypto provider for users with certificates from the infrastructure of RUE IIC or RTC GosSUOK:

Avest CSP(Check the version by opening Start - All Programs - Avest - Avest CSP - Version tab).

Avest CSP white(Check the version by opening Start - All Programs - Avest - Avest CSP bel - Version tab).

If you have an older version of Avest CSP or Avest CSP bel installed on your computer, then it is best to upgrade the entire subscriber kit. For this:

  1. Download and save to your computer the archive with the current subscriber kit for AvToken or AvPass carriers.
  2. The programs are in the archive. Be sure to unpack the archive before installing programs.
  3. Go to the unpacked directory with files..\AvPKISetup(4.0.6.bign)\.
  4. If you do not have a certificate in your personal directory
    Find the ..\data\ folder and copy the certificate chain in *.p7b format with your current certificate from RUE IIC into it. The installer will not only update your programs, but also start importing this certificate into your personal directory.
  5. If you have an up-to-date certificate in your personal directory, then the installation can be started simply in the software update mode: Locate the AvPKISetup2.exe file and double-click it. The software update wizard will start. Follow the installation wizard. Be careful, you may need to restart your computer during the installation process.
  6. Detailed instructions for using the AvPKISetup automatic installer are located in the same archive in the folder ..\AvPKISetup(4.0.6.bign)\Docs\Instructions for installing software using AvPKISetup on the NCES 2.0.pdf workstation.

Make sure your certificate is valid. Open the personal manager corresponding to the certificate, go through authorization, make sure that the certificate is valid and the SOS has not expired.

SOS expired. Use the button to automatically update the current CRLs.

Import SOS

Import SOS

If you are using Windows Server 2008R2, Windows Server 2012R1, or Windows Server 2012R2, then you may experience problems with authorization over a secure connection. We recommend you the following solution:

  1. Save this file to your computer in a place where you can definitely find it later (for example, select "My Computer" - the C:\ drive or the "Downloads" folder).
  2. Unzip the archive.
  3. Run the file by double-clicking (changes must be made with administrator rights).
  4. Allow changes to the registry.
  5. Restart your computer after making all changes.

Launch Internet Explorer. In the menu bar, you need to select the icon with the settings and the item in it.

The Internet Explorer/Browser Properties window will open. Select tab "Security".

On the security tab, click on the green checkmark and then on the button "Nodes/Sites".

A window will open. In field "Add the following node to the zone" enter the address at which you enter your personal account (*.website). Uncheck the box next to: "All sites in this zone require server verification (https:)" and press the button "Add".

The address will then appear in the list of Web sites. Push button "Close".

The tab will reopen "Security". Push button "Another".

A window will open with the name "Security Settings - Trusted Sites Zone". Scroll down to heading "ActiveX Controls and Plugins". ALL, which is below this heading to the end of the list, should be INCLUDED. Scroll this list all the way down and enable ALL security settings, and then click OK.

After pressing the button "OK" a warning window will appear: "Are you sure you want to change the setting for this zone?". Push button "Yes".

When visiting a website, if you encounter an error in the first place, it is not your fault for the error. This can happen with any browser, including Chrome browser, Yandex, Firefox, Internet Explorer or Edge. When you try to connect to a website, you may receive another error message. and displays the following error code ERR_SSL_PROTOCOL_ERROR. In most cases, this error occurs due to a server issue or an issue with the SSL certificate being rejected by the browser because the certificate has a problem. It is also possible that the downloaded certificate on your PC is corrupt, or your PC's TSL/SSL configuration is incorrectly configured. In this guide, we will break down some tips to fix this error.

Error message: This site cannot provide a secure connection. Error code: or ERR_SSL_PROTOCOL_ERROR.

A quick solution to these errors can be - this is not the correct date on the computer and the antivirus. What to do?

  • Check and set the correct date, number and zone.
  • Temporarily disable the antivirus product or add the certificate to the scan exclusions. Disabling the antivirus in such a situation can be a dangerous decision if you have something to lose (card data, personal data, passwords). You need to be sure that the website is not malicious.

Before proceeding, I advise you to familiarize yourself with what is SSL 3/TLS on Wikipedia or in a Yandex or Google search. Since SSL and TLS protocols are not secure. This may be a temporary solution.

1. Can you access the website using HTTP?

Try to access the site with just HTTP at the beginning of the URL and if you see the same issue, the problem is with the website. If you are a website owner, there are two things you need to check:

  • Does your SSL certificate name not match? Make sure the site name and alias matches the actual URL of the website where the certificate is installed.
  • Is your server using RC4 Cipher? If yes, you need to fix it.

As a website owner, you also need to check if your CDN supports SSL. Most CDNs now support SSL and all you need to do is set it up correctly. Otherwise, contact the technical support of your hosting, they will help you.

2. Enable SSL 3/TLS and disable QUIC protocol

Chrome And Yandex browser:

Disabling the QUIC Protocol method in Chrome or Yandex is one of the proven methods to fix the SSL error. Therefore, if you want to disable the QUIC protocol in the browser, then copy the following address and paste it into the address bar of the browser chrome://flags/#enable-quic, then find Experimental QUIC protocol and turn it off Disabled. Restart your browser.


If it doesn’t help, then open the Chrome or Yandex browser and enter in the address bar chrome://flags. Next, in the search field, write TLS and enable. Also, in the same search field, write SSL and enable him too. Enabled translates as enabled.


edge And Internet Explorer:

Press button combination Win+R and type inetcpl.cpl


Go to the "Advanced" tab and enable " Use TLS 1.1" And " Use TLS 1.2". There is a moment, if it did not work, then go back to these parameters and turn on more SSL 3.0.

Firefox:

Enter about:config in the address bar and press Enter. Next, in the search, type tls and find security.tls.version.min. Double click this option and set the value 3 to make the protocol work TLS 1.3. Click OK and restart your Firefox browser.



3. Remove SSL state

Press button combination Win+R and type inetcpl.cpl to open internet properties.


TLS connection errors in Sberbank Business Online is a problem that users of the system sometimes have to face. Recently, remote banking operations have become very popular. Many companies and private enterprises have appreciated the convenience of the service: now there is no need to waste time visiting the bank, and account management and filling out payment orders can be done right in the office at the desktop. As with any system, failures are not uncommon here. This cannot be avoided. It is better to know about possible problems in advance so that you can easily deal with them.


The work of any service is inevitably associated with the presence of isolated difficulties in connecting

It is impossible to foresee all the errors in the work, but there are the most common ones, which in most cases can be eliminated on your own.

  • Incorrect username and password entry. Such an inscription on the monitor indicates that indeed the login and password were entered incorrectly. Solving the problem is simple: reload the page, log in again, but at the same time specify the ID and password very carefully.
  • Error 401. It appears during login. Here the reason may be the operation of the computer itself (an outdated version of the OS or browser, antivirus blocking or an ordinary failure). The solution is as follows: update the browser, install the Business Online Bank service in the anti-virus exclusion list, or simply re-enter.
  • Control error. Occurs during the formation of a payment document, if errors are made in filling. The system automatically accepts the document as outdated. To eliminate this trouble, it is worth re-checking all the data entered in the fields of the document, correcting inaccuracies, and re-installing the “payment” check.
  • Internal Server Error. Here you should not worry at all and wait for a while: all server failures are dealt with by the bank's specialists. It is enough to report this to the technical support service.


This article contains the most common problems in the bank service and how to fix them.

Problem number 0100

TLS connection error 0100 Sberbank Business Online warns about problems with the certificate. When you enter the system, the procedure of checking and confirming its authenticity takes place. The bank's server performs certificate authentication, validity period, compares the URL address with the specified address in the certificate.

TLS connection error 0140

There can be several reasons for this problem. Of course, this may be an elementary program failure. But most often this is due to the use of an electronic digital signature. It is a user identifier and is used when approving various documents. Most likely, the signature could have expired, and therefore it is outdated and not valid. To do this, you need to update it. If the validity period has not yet expired, it is necessary to check the correctness of filling in the fields. You may need to install Capicom in order to attach a digital signature. In any case, you must quickly respond and seek help from the bank's technical support service, having previously indicated the code and actions that precede the occurrence of an error. To avoid such problems in the future, you need to know when the signature expires.

You can check this in the certificate store. Replacement should be carried out in advance: during the renewal of the certificate, situations may arise when it is necessary to urgently sign any payment documents.


Users often encounter difficulties in working with the bank service

Problem number 0160

If the message “TLS connection error 0160” appears on the screen in the Sberbank system, this indicates that the service was unable to verify the authenticity of the client certificate. This can mean one thing, that the pin code has expired. The solution is simple - contact a banking institution to receive a new token and pin codes.

Conclusion

Many business structures work with the Sberbank Business Online program, and TLS connection errors are not uncommon. Since the cash flow of many companies is significant, the decision to fix the problem should be made immediately. It cannot be hoped that this is an ordinary system failure. This may be, as well as problems on the server. But most often this occurs due to a mismatch of the requirements for technical equipment when connecting to the program. The software should be taken seriously so that similar problems do not arise in the future. In any case, in order to expedite the resolution of this issue, you should immediately contact the technical support service of a banking institution.

Did not find an answer to your question? Look at here
Installing cryptopro Cryptopro csp version 3Installing cryptopro Cryptopro csp version 3
Step-by-step installation of the program without installation disk Cryptopro 3Step-by-step installation of the program without installation disk Cryptopro 3
Solving common mistakes in sufdSolving common mistakes in sufd