We haven’t released a new version. So there’s nothing to self-update.
Regarding your own self-updates make sure your server supports the old TLS protocols supported by the old .NET version.
I include wyUpdate 2.6.18.4 built in 2012 in my company's products. But I see the last change to wyUpdate was in 2020 which includes some security updates that are now mandatory for us (using TLS 1.2 or 1.3, forbidding the use of TLS 1.0 and 1.1). AWS is turning off TLS 1.0 and 1.1 in June 2023, and if wyUpdate can't use TLS 1.2 or 1.3 by then it will fail. However, wyUpdate won't update itself and stays on the 2012 version.
How can I get wyUpdate to update to the latest version?
---
We've tried including the .NET 4.0 version of wyUpdate instead of the .NET 2.0 version in our builds (an option selectable in the wyBuild properties file). This fixes the problem for brand new installations, but not for our existing installations out there in the wild. We've also tried adding the .NET 2.0 version to all old versions, adding the .NET 4.0 version to the new version of files to be updated during patching and reuploading the patch files, but wyUpdate.exe is not altered from its original installed version. We're aware that this procedure is highly not recommended but we were all out of other ideas.
We haven’t released a new version. So there’s nothing to self-update.
Regarding your own self-updates make sure your server supports the old TLS protocols supported by the old .NET version.
I am baffled why you have continued to make commits to wyUpdate (including commits that fix the very problem we are having, e.g. commit 60cccd3 on 14 April 2020) if you have no intention of releasing any updates to the 2012 version. If there is no new version it will be impossible to continue to use wyUpdate once TLS 1.0 and 1.1 are retired, which I have no control over. Eventually it will be impossible to find a server anywhere that allows TLS 1.0 and 1.1. We will not be leaving AWS (“make sure your server supports the old TLS protocols”) in favour of wyUpdate, compromised security, and delaying the inevitable.
We have no “self-updates”. According to your own documentation, wyUpdate performs self-updates (https://wyday.com/wybuild/help/faq.php “You should not include wyUpdate.exe in your updates — wyUpdate self-updates.”), which it can't do if no further updates are forthcoming. When functioning properly, it then updates our products.
Can you recommend an updater that will work in 2023 and beyond? And how do we migrate all existing installations from wyUpdate to a different updater? We will need to disable and remove wyUpdate once we have a replacement that works in a secure environment as it causes error in our applications when it fails.
Alternatively, can you suggest a path forward that will allow existing installations to continue to update with wyUpdate once TLS 1.0 and 1.1 are switched off? If you are not already aware, this article explains that AWS will disable TLS 1.0 and 1.1 by 28 June 2023: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/ All old (and therefore current) versions of wyUpdate will cease to work on AWS at that point, leading to many upset customers. In order to prevent unexpected service disruptions, AWS recommends switching now which we are attempting to do.
The solution we've gone for is to include the .NET 4.0 version of wyUpdate.exe with the patch files, plus a batch file which gets executed by wyUpdate after updating. The batch file renames the original .NET 2.0 version of wyUpdate.exe out of the way, then renames the .NET 4.0 version to just “wyUpdate.exe”. Will we change which files are included in the next update so that the old .NET 2.0 version and the batch file are deleted by wyUpdate.exe.
It took us 4 days to build this workaround. Multiply your daily rate by 4 to work out how much it cost us, and how much it would cost you to work out an equivalent solution from scratch without wyDay's help.
If you are reading this after 28 June 2023 and your AWS hosted solution has suddenly stopped updating, know that Wyatt O'Day was aware of this issue 9 months before it happened and chose to not take it seriously. One day TLS 1.3 (the latest version at the time of writing) will be deprecated and unsupported. But Wyatt O'Day thinks TLS 1.0 will be supported forever which is why he doesn't see the need to release an update to wyUpdate to fix this issue.
Overview
Many wyUpdate deployments using Amazon S3 will fail on June 28, 2023 when Amazon enforces the TLS 1.2 minimum.
From my investigation, using the .NET 4 version of wyUpdate is not enough.
------------------------------------------------------
Known problematic workarounds
To get wyUpdate to use TLS 1.2, you also need to do one of the following (each of which has some downsides):
------------------------------------------------------
Tests
Here are some of my tests with wyUpdate + Amazon S3 bucket with TLS 1.2 enforced on an up-to-date Windows 11 device:
NotSupportedException
due to hardcoding an unsupported TLS version (though perhaps the .NET 2 project is deprecated anyway)This is consistent with Amazon’s post on the TLS 1.2 change:
The most common use of TLS 1.0 or 1.1 are .NET Framework versions earlier than 4.6.2.
------------------------------------------------------
Possible solutions
The easiest solution for us would be if there was an official wyUpdate hotfix release that forks off of the Aug 2012 release to fix the issue... though it seems highly unlikely that wyUpdate will have a fix before the June 28 deadline, and it’s not clear to me what a “universal” fix is. Targeting a newer .NET and/or TLS version should be a quick and easy fix, but it could potentially affect wyUpdate customers in legacy environments.
Personally I’m leaning towards one of these solutions (or a combination of these solutions, given that being able to update is critical):
client.wyc
file (with the list of server sites) is easier to update than wyUpdate.exe
.For future readers, some links regarding .NET + TLS versions.
------------------------------------------------------
Appendix - wyUpdate.exe.config file
Another possible solution was using adding a config file, i.e. wyUpdate.exe.config
file, but there were some issues:
Some links regarding the config file:
wyUpdate.exe.config
example (to emphasize, this worked but I had some issues as noted above):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false"/>
<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6"/>
</startup>
</configuration>
Note:
supportedRuntime
for this to work. Only the .NET 2 wyUpdate requires this.AppContextSwitchOverrides
.------------------------------------------------------
Appendix - S3 Transfer Acceleration
S3 Transfer Acceleration should also work as it uses CloudFront. See this aws re:post question for details.
------------------------------------------------------
If anyone else is affected by the issue or has additional information, please share. Thanks.