cwhitmore88
asked on
Event error 36874 schannel on Win2008R2
I'm getting the following event id error on a Windows 2008 R2 server on a regular basis. This server runs IIS and Coldfusion for some custom apps that are accessible outside our network.
"An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
I found this solution, but it suggests regenerating the SSL cert. The server this is happening on uses a wildcard SSL so I really don't want to reapply new certs to all my other servers.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a87505a3-1fd0-47b3-b6db-d36444da34fc/schannel-errors-36874-and-36888?forum=winserversecurity
"An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
I found this solution, but it suggests regenerating the SSL cert. The server this is happening on uses a wildcard SSL so I really don't want to reapply new certs to all my other servers.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a87505a3-1fd0-47b3-b6db-d36444da34fc/schannel-errors-36874-and-36888?forum=winserversecurity
you can try IISCrypto to reorder (or unchecking) the cipher suite to support tls above in higher order hence not necessarily to change the SSL certificate. In fact, recent MS15-031 has addressed the security issue ("FREAK") due to weak EXPORT cipher, there is workaround section to even explicitly disable the RSA key exchange ciphers..so if you patch the Win2K8 server as regime, it should as address it too.
Do reference this MSDN cipher list for those TLS 1 and above, I recommenda have SSL 3 and below disabled by default.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
IISCrypot tool - https://www.nartac.com/Products/IISCrypto/
MS15-031 - https://technet.microsoft.com/en-us/library/security/ms15-031.aspx
Do reference this MSDN cipher list for those TLS 1 and above, I recommenda have SSL 3 and below disabled by default.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
IISCrypot tool - https://www.nartac.com/Products/IISCrypto/
MS15-031 - https://technet.microsoft.com/en-us/library/security/ms15-031.aspx
ASKER
Btan,
I verified my server already has update from MS15-031 and I ran and set the cyphers "best practice" with IISCrypto, but I continue to get same error message.
I verified my server already has update from MS15-031 and I ran and set the cyphers "best practice" with IISCrypto, but I continue to get same error message.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window