Backup Job to AWS S3 Repository Fails with "Failed to construct ClientAgentProtocol"
Challenge
While attempting to execute a backup task within Veeam Backup & Replication directed towards an AWS S3 Bucket Repository, the backup process fails with the error:
Failed to construct ClientAgentProtocol.
Examining the logs reveals the following errors:
In log: job.[IP].BlobRepo.log
ERR |Veeam RPC client processor thread is broken >> |Failed to do TLS handshake. Possible cause: Incompatible SSL version: available - TLSv1.2, negotiated - TLSv1.1, detailed info: Failed to do TLS handshake: (336109835) error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number >> |--tr:Failed to perform TLS handshake >> |An exception was thrown from thread [8972].
Cause
This error occurs when the machine initiating communication with the AWS endpoint is unable to complete the TLS handshake due to an inability to use TLS 1.2.
Due to multiple security vulnerabilities, many companies, including AWS, have deprecated TLS 1.0 and TLS 1.1.
AWS Security Blog - TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints
Solution
To resolve this, ensure that the OS of the machines used by Veeam Backup & Replication to communicate with the AWS endpoint can use at least TLS 1.2.
TLS 1.2 is enabled by default is all Windows operating systems, starting with Windows 8.1/Server 2012 R2.
More Information
Note: Veeam Backup & Replication 11/12 uses .NET Framework 4.7.2, which supports at most TLS 1.2.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.