Since I installed KB3174644 in W2012R2, Veeam 9U2 was unable to connect to vCenter 5.5 and old servers. This patch has a different KB number for other versions of Windows.
Fired by event: VeeamNoHostConnectionEvent
Event description: Unable to connect to XXXXXXXX. Failed to download clients.xml file from https://XXXXXXXX:443/client/clients.xml
. The request was aborted: Could not create SSL/TLS secure channel.
Initiated by: Veeam ONE Monitor (ZZZZZZZ)
And there were a lot of schannel errors in System event log. Source: Schannel, Event ID 36888:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 813.
It seems that the new Diffie-Hellman patch from Microsoft changed the minimum bits supported by Windows to a higher value which blocks connecting to old servers (we still have some ESX 4.1 and 5.1). I've uninstalled the patch and everything is now working fine. It will last until weak certificates get blocked again (SHA-1 anyone?).