Windows: Timeout with TLS connections [Workaround]

[German]Windows 7, Windows 8.1 and various Windows Server versions have timeouts in TLS connections after installing the latest October 2019 updates. Microsoft has confirmed these TLS timeouts in a support article.


Advertising

A Microsoft support article 4528489 (Transport Layer Security (TLS) connections might intermittently fail or timeout when connecting) contains the details. 

The error description

When attempting to connect [to a server], Transport Layer Security (TLS) and Secure Sockets Layer (SSL) may fail temporarily or run on a timeout. One or more of the following errors will be displayed:

  • “The request was aborted: Could not create SSL/TLS secure Channel”
  • Error 0x800903030f  (SEC_E_MESSAGE_ALTERED)
  • An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”

The cause of this issue is that Microsoft closed the vulnerability CVE-2019-1318 in Augst 2019 with an update. Now updates from October 2019 seems to cause the TLS timeouts.

Which Windows versions are affected?

Unfortunately, the fix was distributed through various updates to Windows 7, Windows 8.1, and various Windows Server versions that are still in support. Affected are the following Windows versions that have received cumulative updates and rollups as of October 8, 2019 (or later):

  • KB4519998 LCU for Windows Server, version 1607 and Windows Server 2016.
  • KB4520005 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
  • KB4520007 Monthly Rollup for Windows Server 2012.
  • KB4519976 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
  • KB4520002 Monthly Rollup for Windows Server 2008 SP2

Also affected are systems that have received the following security-only updates dated October 8, 2019.


Advertising

  • KB4519990 Security-only update for Windows 8.1 and Windows Server 2012 R2.
  • KB4519985 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
  • KB4520003 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • KB4520009 Security-only update for Windows Server 2008 SP2

Whoever has installed these updates on the machines and receives TLS errors should react and try the following workaround.

A workaround for the TLS problem

Microsoft states two workarounds in the support article, with which the TLS timeout problem can possibly be mitigated.

  • Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operaing system. EMS as defined in RFC 7627,  was added to supported versions of Windows in the calendar year of 2015. Any update released on or after October 8, 2019 will have EMS enabled by default for CVE-2019-1318.
  • Or: For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. For instructions on how to do this on Windows, see Prioritizing Schannel Cipher Suites.

Microsoft does not recomend disabling EMS. If EMS was previoulsy explicitly disabled, it can be re-enabled by setting following registry key values:

HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel  

On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0

Damit sollten die TLS-Verbindungsprobleme weg sein. (via)


Advertising


This entry was posted in issue, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *