Packer fails to upload files on Server 2025 after configuring Ciphers

Packer
1

Hello,

I’m experiencing an issue when running configuration scripts on Windows Server 2025 but the same scripts work fine on Windows 2019 and 2022.

The basics of the script are:

$cipherSuitesAsString = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"

New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null

Note that TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 are not in the above list.

There is another script that should execute after the above script finished however, after the above is executed I start to see the following when using PACKER_LOG=1

2025/03/14 14:33:13 packer-plugin-azure_v2.3.0_x5.0_linux_amd64 plugin: 2025/03/14 14:33:13 Uploading file to 'c:/Windows/Temp/packer-ps-env-vars-67d48467-72bb-c526-eac4-43af4b08d8e0.ps1'
2025/03/14 14:33:13 packer-provisioner-powershell plugin: Retryable error: Error uploading ps script containing env vars: Error uploading file to $env:TEMP\winrmcp-f3c47191-e616-439c-6802-017cb50bc29b.tmp: Couldn't create shell: unknown error Post "https://20.12.47.39:5986/wsman": read tcp 172.20.212.241:37530->20.12.47.39:5986: read: connection reset by peer
2025/03/14 14:33:15 packer-provisioner-powershell plugin: [INFO] 0 bytes written for 'uploadData'

Everything works just fine when running on other versions of Windows. I was hoping someone else may have seen this or had ideas on how to further troubleshoot.

2

While I’m still not sure what is happening with Windows 2025 I have found a workaround. If I have packer reboot the VM after applying the cipher change packer will re-connect and continue the rest of the provisioning process. I was looking through the different projects related to communication and there were some comments that alluded to the caching of ciphers for the connection so I made the supposition that if I did something drastic to break the connection then packer would need to re-create the connection and negotiate a new cipher.

Possibly Windows 2025 is more aggressive about looking for cipher changes and drops connections that use ciphers that are no longer allowed?