Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

MS04-011 Breaks SSL Communication?

Posted on 2004-04-23
17
Medium Priority
?
1,991 Views
Last Modified: 2013-12-23
Something wierd happened.  I downloaded and installed security update MS04-011 like a good little network administrator and suddenly I'm getting Schannel errors in my System Event Log.  The event ID is 36874, which I can find no information on.  The error message reads:

"An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

What I'm hearing from customers is that in trying to go to secure pages, they get a 'page cannot be displayed' message.  It's only a few customers out of very many (maybe two or three out of hundreds are getting this error).  Doing a little testing, I've found that if I change my browser settings to not use SSL 3.0, I cannot surf to secure pages on my site.  Any idea on what happened?  Has anyone else had this happen?

For reference, this is a Windows 2000 Server machine, running IIS 5 and SQL 2000.  As far as I know (and I hope I would know), all service packs are installed.

Thanks,

Clint
0
Comment
Question by:feti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +3
17 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907873
I found one resolution related to this error on Eventid.
http://eventid.net/display.asp?eventid=36874&eventno=3884&source=Schannel&phase=1
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907887
It seems to relate to Citrix in the answer but if you are not running that the resolution could apply to your situation that you need to reapply the High Encryption Pack.

If you open up IE and check Help ==> About does it state you have 128bit CIPHER strength?
0
 

Author Comment

by:feti
ID: 10918654
I did see that link on EvenID.net.  I guess my problem is that I need to do something on the server to allow these few clients in.  The High Encryption Pack says it's for client machines.

Also, the IE Help on both the server and a client machine that cannot access the site both state cipher strength of 128 bit.

I'm going to try and uninstall this security patch that seems to have started all these problems.  If there are any other suggestions please comment.

Clint
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:feti
ID: 10918978
Update:

I uninstalled KB828741 and KB835732 (these two changed settings to SSL communicatons) and lo and behold it worked!  I'm still in testing, but so far this seems to have resolved the problem.  However, part of me thinks I still need to install these patches, so has anyone else run into this sort of thing?

Clint
0
 

Expert Comment

by:zenops
ID: 10977784
Clint -
Exactly which bowser/ operating systems are unaable to connect to the SSL site?  I'm seeing the same errors but I am not sure which connections are failing.  I've tested with Windows 2000/IE6/Netscape 7 and Mac OSX/IE5/Netscape 7 with no errors.  I suspect it must be older browsers.

Will
0
 

Author Comment

by:feti
ID: 10980329
Will,

I unfortunately don't have access to this data.  I agree that it must be an older browser or at the very least an unpatched one.  I have found two knowledgebase articles that seem to be workarounds for these security patches:

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

http://support.microsoft.com/default.aspx?scid=kb;en-us;245030

I hope this helps someone else out.  Since I seemed to have answered my own question, how do I close this question?  Unless other member want to keep the discussion open, I have nothing else to add.

Clint
0
 

Expert Comment

by:zenops
ID: 10987522
Clint -
Before this thread is closed by someone would you please post back and let us know which actions you took based on the MS articles and if it fixed the problem?  Thanks.

Will
0
 

Author Comment

by:feti
ID: 10988719
Will,

Both changes I made were registry edits.  The first change I made was in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

In there I added a new binary value called 'Enabled' with a value of 00 00 00 00 to PCT1.0\Server and SSL 2.0\Server.  What this basically does (according to the first KB article I listed above) is disable PCT 1.0 and SSL 2.0 authentication to the server.  This was a security issue that was raised during a Qualsys security scan.

The second change I made was in:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

In there I added a new DWORD value called "Enabled' with a value of 0 to every cipher except RC2 128/128 and RC4 128/128.  What this does is disable the use of any cipher except 128 bit encrypted ones.  Again, this was a security issue that was raised during a Qualsys security scan.

I'm kind of a neophyte at the networking gig, so I pretty much just do what Microsoft tells me and see what breaks.  Fortunately, this hasn't broken anything (yet), so all I can say is that it worked for me, though your mileage may vary.

Clint
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 11004705
Hi I suspect this may be their problem rather than yours, if their browser is requesting a cipher not supported you will see this error.

There seems to be an issue with MS04-011 that can affect SSL using IE 6 on Windows 2003, uninstalling the patch solves it


http://seclists.org/lists/fulldisclosure/2004/Apr/0676.html

has much more information.

I've seen this entry a few times in my web server logs without MS04-011, I haven't seen an increase since applying it either.
I'm not worrying too much about it as yet.
Mike

0
 

Expert Comment

by:zenops
ID: 11005369
Clint -
Have you checked to see if the SCHANNEL error that registers in your Event Log corresponds to the same time that your user gets the "page cannot be displayed" error?

The reason I ask is I have been told the SCHANNEL errors we are getting occur when someone attempts to use one of the exploits that MS04-011 fixes - the exploit fails and generates the event log entry.

If true this makes perfect sense - I only started getting the error after installing MS04-011, never before it.

And also if true this explains why I am unable to replicate any "page cannot be found" errors when I connect to my SSL sites.

So I guess the other important question is are you still getting the event log errors after making the recommended MS registry changes that you describe above?

I'm hoping we can finally put this behind us!

Will

0
 

Accepted Solution

by:
feti earned 0 total points
ID: 11008031
Will,

I can't verify that I was getting the error messages at the same time our customers were getting the 'page not found' errors.  All I can verify is that with the patch I had a lot of angry customers and without the patch but with the workarounds I'm not getting any complaints.  That being said, your point about the patch detecting intrusion attempts seems valid.  Since uninstalling the patch, this specific error has not been logged in my Event Logs.  It doesn't mean it's not happening, I guess, just that it's not being logged.  The first registry hack I posted earlier is a Microsoft workaround for the PCT vulnerability that was addressed by the patch.  The other hack was a suggested fix from a Qualsys network security audit I performed about a month prior to the release of the patch.  I posted it because I thought it might be of use to someone else.  To answer your last question, no I am not getting the error in my Event Log anymore.  Nor am I getting any customer complaints (except for Mac users, but I think that's a different issue).  I was in the same boat as you.  I was unable to replicate the errors my customers were getting while I had the patch installed.  Anyway, I hope this helps.

Clint
0
 

Expert Comment

by:RomMod
ID: 11138068
Asker resolved - the 250 points have been refunded and the question PAQ'd.

RomMod
Community Support Moderator
0
 

Expert Comment

by:jerrysolomon
ID: 11450740
I found a better solution!!!

These events are the result of attempts to exploit  the holes fixed by MS04-011.

They may not be customers with failed browser attempts.

JerrytheGreat
0
 

Expert Comment

by:zenops
ID: 11450801
Jerry -
That's what I said in my post of May 6th. - see above.

Will
0
 

Author Comment

by:feti
ID: 11450913
Jerry and Will,
 
The issue was that ligitamite customers were unable to get to SSL pages.  Whether the error logged was from attempted security breaches or legitamite customer errors is a moot point to me because the solution I posted above seems to be a workaround for the same security flaw.  The only difference I can tell is that the error is not getting logged anymore.

Clint
0
 

Expert Comment

by:jerrysolomon
ID: 11453262
Clint and Will,

My apologies for posting an answer to an issue where the solution had already been addressed, I didn't read carefully enough.

Regards,

JerrytheGreat
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question