TLS 1.0 and Discord Woes

I recently ran into an issue running the Discord VoIP/chat application (version 0.0.308) after completing some security hardening on one of my Windows 10 PCs.

On startup, the Discord client first checks for updates, then automatically downloads and installs them where necessary before launching the application. While this process had previously worked flawlessly, I suddenly found myself stuck in an endless loop of the software trying to update itself and failing to do so. The update check would then go into a 60 second timeout before repeating the process, and the application would never launch as intended.

I first tried several fixes as recommended by Discord’s support site, including the standard uninstall/reboot/reinstall of the software, deleting the Discord folders within %APPDATA%\Local and %APPDATA%\Roaming, elevating to admin to run the software, and bypassing my firewall. No luck! The issue persisted despite my efforts.

Finding my way back to the Discord application folders, I checked %APPDATA%\Local\Discord\app-0.0.308\Squirrelsetup.log and found this error –

9788> 2020-09-11 18:01:55> IEnableLogger: Failed to download url: https://discord.com/api/updates/stable/RELEASES?id=Discord&localVersion=0.0.308&arch=amd64: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

TLS, huh?

I had previously disabled Transport Layer Security (TLS) 1.0 via a registry key for security purposes and recalled that Discord had been working fine up to that point. For the sake of testing, I re-enabled it and re-ran Discord – problem solved.

I was happy that the issue was fixed, but disappointed to discover that this was the root cause. While the error message itself was straightforward (once I was able to find the proper log file), TLS 1.0 is a 20-year-old deprecated protocol with known security vulnerabilities, and I can’t imagine a valid reason for Discord’s developers to continue to insist on its use when newer and superior alternatives are available.

As a best practice, I eventually decided to disable TLS 1.0 once again and will be sticking to the browser-based Discord client (which doesn’t require updates) for the foreseeable future.