Solved

MS04-011 Breaks SSL Communication?

Posted on 2004-04-23
17
1,943 Views
Last Modified: 2013-12-23
Something wierd happened.  I downloaded and installed security update MS04-011 like a good little network administrator and suddenly I'm getting Schannel errors in my System Event Log.  The event ID is 36874, which I can find no information on.  The error message reads:

"An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

What I'm hearing from customers is that in trying to go to secure pages, they get a 'page cannot be displayed' message.  It's only a few customers out of very many (maybe two or three out of hundreds are getting this error).  Doing a little testing, I've found that if I change my browser settings to not use SSL 3.0, I cannot surf to secure pages on my site.  Any idea on what happened?  Has anyone else had this happen?

For reference, this is a Windows 2000 Server machine, running IIS 5 and SQL 2000.  As far as I know (and I hope I would know), all service packs are installed.

Thanks,

Clint
0
Comment
Question by:feti
  • 6
  • 4
  • 2
  • +3
17 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907873
I found one resolution related to this error on Eventid.
http://eventid.net/display.asp?eventid=36874&eventno=3884&source=Schannel&phase=1
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907887
It seems to relate to Citrix in the answer but if you are not running that the resolution could apply to your situation that you need to reapply the High Encryption Pack.

If you open up IE and check Help ==> About does it state you have 128bit CIPHER strength?
0
 

Author Comment

by:feti
ID: 10918654
I did see that link on EvenID.net.  I guess my problem is that I need to do something on the server to allow these few clients in.  The High Encryption Pack says it's for client machines.

Also, the IE Help on both the server and a client machine that cannot access the site both state cipher strength of 128 bit.

I'm going to try and uninstall this security patch that seems to have started all these problems.  If there are any other suggestions please comment.

Clint
0
 

Author Comment

by:feti
ID: 10918978
Update:

I uninstalled KB828741 and KB835732 (these two changed settings to SSL communicatons) and lo and behold it worked!  I'm still in testing, but so far this seems to have resolved the problem.  However, part of me thinks I still need to install these patches, so has anyone else run into this sort of thing?

Clint
0
 

Expert Comment

by:zenops
ID: 10977784
Clint -
Exactly which bowser/ operating systems are unaable to connect to the SSL site?  I'm seeing the same errors but I am not sure which connections are failing.  I've tested with Windows 2000/IE6/Netscape 7 and Mac OSX/IE5/Netscape 7 with no errors.  I suspect it must be older browsers.

Will
0
 

Author Comment

by:feti
ID: 10980329
Will,

I unfortunately don't have access to this data.  I agree that it must be an older browser or at the very least an unpatched one.  I have found two knowledgebase articles that seem to be workarounds for these security patches:

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

http://support.microsoft.com/default.aspx?scid=kb;en-us;245030

I hope this helps someone else out.  Since I seemed to have answered my own question, how do I close this question?  Unless other member want to keep the discussion open, I have nothing else to add.

Clint
0
 

Expert Comment

by:zenops
ID: 10987522
Clint -
Before this thread is closed by someone would you please post back and let us know which actions you took based on the MS articles and if it fixed the problem?  Thanks.

Will
0
 

Author Comment

by:feti
ID: 10988719
Will,

Both changes I made were registry edits.  The first change I made was in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

In there I added a new binary value called 'Enabled' with a value of 00 00 00 00 to PCT1.0\Server and SSL 2.0\Server.  What this basically does (according to the first KB article I listed above) is disable PCT 1.0 and SSL 2.0 authentication to the server.  This was a security issue that was raised during a Qualsys security scan.

The second change I made was in:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

In there I added a new DWORD value called "Enabled' with a value of 0 to every cipher except RC2 128/128 and RC4 128/128.  What this does is disable the use of any cipher except 128 bit encrypted ones.  Again, this was a security issue that was raised during a Qualsys security scan.

I'm kind of a neophyte at the networking gig, so I pretty much just do what Microsoft tells me and see what breaks.  Fortunately, this hasn't broken anything (yet), so all I can say is that it worked for me, though your mileage may vary.

Clint
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 11004705
Hi I suspect this may be their problem rather than yours, if their browser is requesting a cipher not supported you will see this error.

There seems to be an issue with MS04-011 that can affect SSL using IE 6 on Windows 2003, uninstalling the patch solves it


http://seclists.org/lists/fulldisclosure/2004/Apr/0676.html

has much more information.

I've seen this entry a few times in my web server logs without MS04-011, I haven't seen an increase since applying it either.
I'm not worrying too much about it as yet.
Mike

0
 

Expert Comment

by:zenops
ID: 11005369
Clint -
Have you checked to see if the SCHANNEL error that registers in your Event Log corresponds to the same time that your user gets the "page cannot be displayed" error?

The reason I ask is I have been told the SCHANNEL errors we are getting occur when someone attempts to use one of the exploits that MS04-011 fixes - the exploit fails and generates the event log entry.

If true this makes perfect sense - I only started getting the error after installing MS04-011, never before it.

And also if true this explains why I am unable to replicate any "page cannot be found" errors when I connect to my SSL sites.

So I guess the other important question is are you still getting the event log errors after making the recommended MS registry changes that you describe above?

I'm hoping we can finally put this behind us!

Will

0
 

Accepted Solution

by:
feti earned 0 total points
ID: 11008031
Will,

I can't verify that I was getting the error messages at the same time our customers were getting the 'page not found' errors.  All I can verify is that with the patch I had a lot of angry customers and without the patch but with the workarounds I'm not getting any complaints.  That being said, your point about the patch detecting intrusion attempts seems valid.  Since uninstalling the patch, this specific error has not been logged in my Event Logs.  It doesn't mean it's not happening, I guess, just that it's not being logged.  The first registry hack I posted earlier is a Microsoft workaround for the PCT vulnerability that was addressed by the patch.  The other hack was a suggested fix from a Qualsys network security audit I performed about a month prior to the release of the patch.  I posted it because I thought it might be of use to someone else.  To answer your last question, no I am not getting the error in my Event Log anymore.  Nor am I getting any customer complaints (except for Mac users, but I think that's a different issue).  I was in the same boat as you.  I was unable to replicate the errors my customers were getting while I had the patch installed.  Anyway, I hope this helps.

Clint
0
 

Expert Comment

by:RomMod
ID: 11138068
Asker resolved - the 250 points have been refunded and the question PAQ'd.

RomMod
Community Support Moderator
0
 

Expert Comment

by:jerrysolomon
ID: 11450740
I found a better solution!!!

These events are the result of attempts to exploit  the holes fixed by MS04-011.

They may not be customers with failed browser attempts.

JerrytheGreat
0
 

Expert Comment

by:zenops
ID: 11450801
Jerry -
That's what I said in my post of May 6th. - see above.

Will
0
 

Author Comment

by:feti
ID: 11450913
Jerry and Will,
 
The issue was that ligitamite customers were unable to get to SSL pages.  Whether the error logged was from attempted security breaches or legitamite customer errors is a moot point to me because the solution I posted above seems to be a workaround for the same security flaw.  The only difference I can tell is that the error is not getting logged anymore.

Clint
0
 

Expert Comment

by:jerrysolomon
ID: 11453262
Clint and Will,

My apologies for posting an answer to an issue where the solution had already been addressed, I didn't read carefully enough.

Regards,

JerrytheGreat
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now