Tuesday, 7 March 2017

Missing TLS 1.2

Most days you get to use existing knowledge and then just sometimes something cools comes your way.

This week we hit on a problem where an application server and client couldn't communicate, you could ping between them and interact with file shares, almost everything looked normal however the application could not connect.

After looking at the event log I found this error:

Log Name: System
Source: Schannel
Date: 11.02.2017 16:37:44
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: FR11.CONSENTO.COM
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

This error shows that communication between them that was trying to take place on the SSL was failing.

Closer look at the registry of both the client and the server the problem becomes clear, as the registry keys are not the same.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
(Default) REG_SZ NCRYPT_SCHANNEL_SIGNATURE_INTERFACE
Functions REG_MULTI_SZ RSA/SHA256\0RSA/SHA384\0RSA/SHA1\0ECDSA/SHA256\0ECDSA/SHA384\0ECDSA/SHA1\0DSA/SHA1

On the other servers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
(Default) REG_SZ NCRYPT_SCHANNEL_SIGNATURE_INTERFACE
Functions REG_MULTI_SZ RSA/SHA512\0ECDSA/SHA512\0RSA/SHA256\0RSA/SHA384\0RSA/SHA1\0ECDSA/SHA256\0ECDSA/SHA384\0ECDSA/SHA1\0DSA/SHA1

This turns out be a known issue that is addressed with KB2975719, or a manual registry tweak.

No comments: