feti
asked on
MS04-011 Breaks SSL Communication?
Something wierd happened. I downloaded and installed security update MS04-011 like a good little network administrator and suddenly I'm getting Schannel errors in my System Event Log. The event ID is 36874, which I can find no information on. The error message reads:
"An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
What I'm hearing from customers is that in trying to go to secure pages, they get a 'page cannot be displayed' message. It's only a few customers out of very many (maybe two or three out of hundreds are getting this error). Doing a little testing, I've found that if I change my browser settings to not use SSL 3.0, I cannot surf to secure pages on my site. Any idea on what happened? Has anyone else had this happen?
For reference, this is a Windows 2000 Server machine, running IIS 5 and SQL 2000. As far as I know (and I hope I would know), all service packs are installed.
Thanks,
Clint
"An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
What I'm hearing from customers is that in trying to go to secure pages, they get a 'page cannot be displayed' message. It's only a few customers out of very many (maybe two or three out of hundreds are getting this error). Doing a little testing, I've found that if I change my browser settings to not use SSL 3.0, I cannot surf to secure pages on my site. Any idea on what happened? Has anyone else had this happen?
For reference, this is a Windows 2000 Server machine, running IIS 5 and SQL 2000. As far as I know (and I hope I would know), all service packs are installed.
Thanks,
Clint
It seems to relate to Citrix in the answer but if you are not running that the resolution could apply to your situation that you need to reapply the High Encryption Pack.
If you open up IE and check Help ==> About does it state you have 128bit CIPHER strength?
If you open up IE and check Help ==> About does it state you have 128bit CIPHER strength?
ASKER
I did see that link on EvenID.net. I guess my problem is that I need to do something on the server to allow these few clients in. The High Encryption Pack says it's for client machines.
Also, the IE Help on both the server and a client machine that cannot access the site both state cipher strength of 128 bit.
I'm going to try and uninstall this security patch that seems to have started all these problems. If there are any other suggestions please comment.
Clint
Also, the IE Help on both the server and a client machine that cannot access the site both state cipher strength of 128 bit.
I'm going to try and uninstall this security patch that seems to have started all these problems. If there are any other suggestions please comment.
Clint
ASKER
Update:
I uninstalled KB828741 and KB835732 (these two changed settings to SSL communicatons) and lo and behold it worked! I'm still in testing, but so far this seems to have resolved the problem. However, part of me thinks I still need to install these patches, so has anyone else run into this sort of thing?
Clint
I uninstalled KB828741 and KB835732 (these two changed settings to SSL communicatons) and lo and behold it worked! I'm still in testing, but so far this seems to have resolved the problem. However, part of me thinks I still need to install these patches, so has anyone else run into this sort of thing?
Clint
Clint -
Exactly which bowser/ operating systems are unaable to connect to the SSL site? I'm seeing the same errors but I am not sure which connections are failing. I've tested with Windows 2000/IE6/Netscape 7 and Mac OSX/IE5/Netscape 7 with no errors. I suspect it must be older browsers.
Will
Exactly which bowser/ operating systems are unaable to connect to the SSL site? I'm seeing the same errors but I am not sure which connections are failing. I've tested with Windows 2000/IE6/Netscape 7 and Mac OSX/IE5/Netscape 7 with no errors. I suspect it must be older browsers.
Will
ASKER
Will,
I unfortunately don't have access to this data. I agree that it must be an older browser or at the very least an unpatched one. I have found two knowledgebase articles that seem to be workarounds for these security patches:
http://support.microsoft.com/default.aspx?scid=kb;en-us;187498
http://support.microsoft.com/default.aspx?scid=kb;en-us;245030
I hope this helps someone else out. Since I seemed to have answered my own question, how do I close this question? Unless other member want to keep the discussion open, I have nothing else to add.
Clint
I unfortunately don't have access to this data. I agree that it must be an older browser or at the very least an unpatched one. I have found two knowledgebase articles that seem to be workarounds for these security patches:
http://support.microsoft.com/default.aspx?scid=kb;en-us;187498
http://support.microsoft.com/default.aspx?scid=kb;en-us;245030
I hope this helps someone else out. Since I seemed to have answered my own question, how do I close this question? Unless other member want to keep the discussion open, I have nothing else to add.
Clint
Clint -
Before this thread is closed by someone would you please post back and let us know which actions you took based on the MS articles and if it fixed the problem? Thanks.
Will
Before this thread is closed by someone would you please post back and let us know which actions you took based on the MS articles and if it fixed the problem? Thanks.
Will
ASKER
Will,
Both changes I made were registry edits. The first change I made was in: HKey_Local_Machine\System\
In there I added a new binary value called 'Enabled' with a value of 00 00 00 00 to PCT1.0\Server and SSL 2.0\Server. What this basically does (according to the first KB article I listed above) is disable PCT 1.0 and SSL 2.0 authentication to the server. This was a security issue that was raised during a Qualsys security scan.
The second change I made was in:
HKey_Local_Machine\System\
In there I added a new DWORD value called "Enabled' with a value of 0 to every cipher except RC2 128/128 and RC4 128/128. What this does is disable the use of any cipher except 128 bit encrypted ones. Again, this was a security issue that was raised during a Qualsys security scan.
I'm kind of a neophyte at the networking gig, so I pretty much just do what Microsoft tells me and see what breaks. Fortunately, this hasn't broken anything (yet), so all I can say is that it worked for me, though your mileage may vary.
Clint
Both changes I made were registry edits. The first change I made was in: HKey_Local_Machine\System\
In there I added a new binary value called 'Enabled' with a value of 00 00 00 00 to PCT1.0\Server and SSL 2.0\Server. What this basically does (according to the first KB article I listed above) is disable PCT 1.0 and SSL 2.0 authentication to the server. This was a security issue that was raised during a Qualsys security scan.
The second change I made was in:
HKey_Local_Machine\System\
In there I added a new DWORD value called "Enabled' with a value of 0 to every cipher except RC2 128/128 and RC4 128/128. What this does is disable the use of any cipher except 128 bit encrypted ones. Again, this was a security issue that was raised during a Qualsys security scan.
I'm kind of a neophyte at the networking gig, so I pretty much just do what Microsoft tells me and see what breaks. Fortunately, this hasn't broken anything (yet), so all I can say is that it worked for me, though your mileage may vary.
Clint
Hi I suspect this may be their problem rather than yours, if their browser is requesting a cipher not supported you will see this error.
There seems to be an issue with MS04-011 that can affect SSL using IE 6 on Windows 2003, uninstalling the patch solves it
http://seclists.org/lists/fulldisclosure/2004/Apr/0676.html
has much more information.
I've seen this entry a few times in my web server logs without MS04-011, I haven't seen an increase since applying it either.
I'm not worrying too much about it as yet.
Mike
There seems to be an issue with MS04-011 that can affect SSL using IE 6 on Windows 2003, uninstalling the patch solves it
http://seclists.org/lists/fulldisclosure/2004/Apr/0676.html
has much more information.
I've seen this entry a few times in my web server logs without MS04-011, I haven't seen an increase since applying it either.
I'm not worrying too much about it as yet.
Mike
Clint -
Have you checked to see if the SCHANNEL error that registers in your Event Log corresponds to the same time that your user gets the "page cannot be displayed" error?
The reason I ask is I have been told the SCHANNEL errors we are getting occur when someone attempts to use one of the exploits that MS04-011 fixes - the exploit fails and generates the event log entry.
If true this makes perfect sense - I only started getting the error after installing MS04-011, never before it.
And also if true this explains why I am unable to replicate any "page cannot be found" errors when I connect to my SSL sites.
So I guess the other important question is are you still getting the event log errors after making the recommended MS registry changes that you describe above?
I'm hoping we can finally put this behind us!
Will
Have you checked to see if the SCHANNEL error that registers in your Event Log corresponds to the same time that your user gets the "page cannot be displayed" error?
The reason I ask is I have been told the SCHANNEL errors we are getting occur when someone attempts to use one of the exploits that MS04-011 fixes - the exploit fails and generates the event log entry.
If true this makes perfect sense - I only started getting the error after installing MS04-011, never before it.
And also if true this explains why I am unable to replicate any "page cannot be found" errors when I connect to my SSL sites.
So I guess the other important question is are you still getting the event log errors after making the recommended MS registry changes that you describe above?
I'm hoping we can finally put this behind us!
Will
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Asker resolved - the 250 points have been refunded and the question PAQ'd.
RomMod
Community Support Moderator
RomMod
Community Support Moderator
I found a better solution!!!
These events are the result of attempts to exploit the holes fixed by MS04-011.
They may not be customers with failed browser attempts.
JerrytheGreat
These events are the result of attempts to exploit the holes fixed by MS04-011.
They may not be customers with failed browser attempts.
JerrytheGreat
Jerry -
That's what I said in my post of May 6th. - see above.
Will
That's what I said in my post of May 6th. - see above.
Will
ASKER
Jerry and Will,
The issue was that ligitamite customers were unable to get to SSL pages. Whether the error logged was from attempted security breaches or legitamite customer errors is a moot point to me because the solution I posted above seems to be a workaround for the same security flaw. The only difference I can tell is that the error is not getting logged anymore.
Clint
The issue was that ligitamite customers were unable to get to SSL pages. Whether the error logged was from attempted security breaches or legitamite customer errors is a moot point to me because the solution I posted above seems to be a workaround for the same security flaw. The only difference I can tell is that the error is not getting logged anymore.
Clint
Clint and Will,
My apologies for posting an answer to an issue where the solution had already been addressed, I didn't read carefully enough.
Regards,
JerrytheGreat
My apologies for posting an answer to an issue where the solution had already been addressed, I didn't read carefully enough.
Regards,
JerrytheGreat
http://eventid.net/display.asp?eventid=36874&eventno=3884&source=Schannel&phase=1