andryuha
asked on
EventID: 36874 - Schannel Error
Hi,
I have a fully patched Win2000 Server SP4 that spontaneously rebooted itself last tuesday and after it came back up, it was working fine.
Server is running IIS5 with URLScan and SSL.
After the reboot it started giving me errors like this one, none of the users complained yet though:
EventID: 36874
Source: Schannel
Type: Error
Description:
An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
I've looked in the IIS logs and there was nothing special, your regular vulnerability/header scanning that get blocked by URLScan. I've had an SSL certificate for about a month now and haven't gotten errors like this one, just after this mysterious reboot.
Anybody else encounter this? Please advise, because I can't find anything online about it.
Thank you
I have a fully patched Win2000 Server SP4 that spontaneously rebooted itself last tuesday and after it came back up, it was working fine.
Server is running IIS5 with URLScan and SSL.
After the reboot it started giving me errors like this one, none of the users complained yet though:
EventID: 36874
Source: Schannel
Type: Error
Description:
An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
I've looked in the IIS logs and there was nothing special, your regular vulnerability/header scanning that get blocked by URLScan. I've had an SSL certificate for about a month now and haven't gotten errors like this one, just after this mysterious reboot.
Anybody else encounter this? Please advise, because I can't find anything online about it.
Thank you
ASKER
I applied MS04-011's KB835732 on the 13th, the day after it came out.
The spontaneous reboot happened on 22nd. 3 hours after that the first Schannel errors started appearing, there are only 1 or 2 a day.
I first read about the incident in the link you supplied here :
http://xforce.iss.net/xforce/alerts/id/168
Almost at the bottom of that page its says that you can also disable PCT 1.0 protocol and provided a link to this microsoft article:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q187/4/98.asp&NoWebContent=1
I disabled PCT following MS directions and was hoping this Schannel error would go away, but it didn't.
Weird thing is I can't find any mention of this error anywhere, I can only assume that the error has anything to do with this new SSL exploit.
The spontaneous reboot happened on 22nd. 3 hours after that the first Schannel errors started appearing, there are only 1 or 2 a day.
I first read about the incident in the link you supplied here :
http://xforce.iss.net/xforce/alerts/id/168
Almost at the bottom of that page its says that you can also disable PCT 1.0 protocol and provided a link to this microsoft article:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q187/4/98.asp&NoWebContent=1
I disabled PCT following MS directions and was hoping this Schannel error would go away, but it didn't.
Weird thing is I can't find any mention of this error anywhere, I can only assume that the error has anything to do with this new SSL exploit.
ASKER
Also, I've looked in IIS Logs to see if there were any entries to port 443 around the times of the Schannel error, but can't find any. All your regular server header scans, etc come on port 80.
Event ID: 36874
Source Schannel
Type Error
Description An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Comments Anonymous (Last update 4/16/2004):
As per Citrix Document ID: CTX172208, both the client and server must be capable of 128-bit encryption in order to connect through Citrix Secure Gateway. To resolve this issue, install Windows 2000 Service Pack 2 on the Citrix Secure Gateway server, and ensure that the client machine has either Windows 2000 Service Pack 2 or the High Encryption Pack for Windows. See Citrix Document ID: CTX172208 for more details.
Links Citrix Document ID: CTX172208
Search Microsoft Support - Microsoft Search - Google Groups - Google Microsoft - EventID.Net Queue - More links...
Various Send comments - Notify me when updated - Discuss in forum
Source Schannel
Type Error
Description An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Comments Anonymous (Last update 4/16/2004):
As per Citrix Document ID: CTX172208, both the client and server must be capable of 128-bit encryption in order to connect through Citrix Secure Gateway. To resolve this issue, install Windows 2000 Service Pack 2 on the Citrix Secure Gateway server, and ensure that the client machine has either Windows 2000 Service Pack 2 or the High Encryption Pack for Windows. See Citrix Document ID: CTX172208 for more details.
Links Citrix Document ID: CTX172208
Search Microsoft Support - Microsoft Search - Google Groups - Google Microsoft - EventID.Net Queue - More links...
Various Send comments - Notify me when updated - Discuss in forum
ASKER
Not much results from google groups either:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=Schannel+Error+36874
But I guess the error isn't new.
It's possible that Citrix Secure Gateway is causing problems, but none of our users have complained about that. Our users are off site and I don't know what their internal network set up is.
From the google groups search, some people say that could be cause by outdated IE and windows 2000 machines that don't have SP2 installed.
Any other opinions? Thank you
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=Schannel+Error+36874
But I guess the error isn't new.
It's possible that Citrix Secure Gateway is causing problems, but none of our users have complained about that. Our users are off site and I don't know what their internal network set up is.
From the google groups search, some people say that could be cause by outdated IE and windows 2000 machines that don't have SP2 installed.
Any other opinions? Thank you
So what may I ask is the solution to this problem. ?
ASKER
after some research I found that there is this SSL vulnerability:
http://www.winnetmag.com/Article/ArticleID/42438/42438.html
http://xforce.iss.net/xforce/alerts/id/168
This vulnerability is exploited by a so called "THCIISSLame" application. Using this "THCIISSLame" I could replicate the error and by using fix below I couldn't get anywhere with this exploit. so I think I'm safe.
Sort of a fix for it:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q187/4/98.asp&NoWebContent=1
http://www.winnetmag.com/Article/ArticleID/42438/42438.html
http://xforce.iss.net/xforce/alerts/id/168
This vulnerability is exploited by a so called "THCIISSLame" application. Using this "THCIISSLame" I could replicate the error and by using fix below I couldn't get anywhere with this exploit. so I think I'm safe.
Sort of a fix for it:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q187/4/98.asp&NoWebContent=1
ASKER
hewittq, I'd like my points back, to be honest, because I actually posted more information on here on the issue than anyone else and the last comment was mine too.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I experienced similar problems using IIS 6 on Windows 2003. Firefox users received an error message saying "transfer interrupted" when trying to access a SSL-enabled web server. It didn't make any difference if they were using XP clients or Citrix thin clients. IE users in Citrix clients receives an error message saying "the page cannot be displayed" and "unable to contact server or DNS error". The error only happened when using IE on Citrix thin clients; they were able to successfully access the https hosted web server on a Windows server using a PC client.
In addtion, the Windows 2003 web server will log the System Event error titled SCHANNEL for Event ID 36874: "An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
Here's what I did to get Firefox to work with the https web server: I set the value of "RC4 128/128" in HKEY_LOCAL_MACHINE\SYSTEM\
To get IE to work on the Citrix clients, I enabled (0xffffffff) all the other Enabled flags in Protocols, KeyExchangeAlgorithms, Hashes, and Ciphers located in HKEY_LOCAL_MACHINE\SYSTEM\
In addtion, the Windows 2003 web server will log the System Event error titled SCHANNEL for Event ID 36874: "An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
Here's what I did to get Firefox to work with the https web server: I set the value of "RC4 128/128" in HKEY_LOCAL_MACHINE\SYSTEM\
To get IE to work on the Citrix clients, I enabled (0xffffffff) all the other Enabled flags in Protocols, KeyExchangeAlgorithms, Hashes, and Ciphers located in HKEY_LOCAL_MACHINE\SYSTEM\
You have applied MS04-011??
Sounds suspicous to me, esp with all the activity around port 443 and the PCT SSL hole.