[German]As of October 17, 2022, Microsoft has released an unscheduled update KB5020387 for Windows 11 21H2. This update fixes a connection problem that can occur with SSL and TLS connections. All Windows client and server versions that are still in support are probably affected by this problem. The update also fixes a connection issue with Citrix clients that I just reported on.
Advertising
Since September 2022 I received reports about issues with SSL and TLS connections on Windows. I had warned about this potential issue in the blog post Windows 10: Beware of a possible TLS disaster on October 2022 patchday . There has been a user report, that the optional, cumulative (preview) update KB5017380 from September 2022 (Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)). There, TLS 1.0 and 1.1 are disabled for certain Windows versions.
My interpretation was, that this may be the root cause, but there seems to be another bug shipped with October 2022 security updates. I have had two blog posts about issues:
Citrix connections broken after Windows update KB5018410 (October 2022) (TLS problem)
Bug: Outlook no longer connects to the mail server (October 2022)
And Microsoft has released accidential the September 2022 preview update to WSUS (see WSUS chaos: Preview updates for Windows and Net withdrawn as superseded on 9/21/2022). But I don't know, whether this has an effect on the current report. Nevertheless, German blog reader commented on my blog post Citrix-Verbindungen nach Windows-Update KB5018410 (Oktober 2022) gestört (TLS-Problem), that this issue has been fixed with the out-of-band Windows updates dates October 17, 2022.
Out-of-band fixes for SSL-/TLS connection issues
Then, as of October 17, 2022, Microsoft posted SSL/TLS handshake might fail in the "Known issues" section of the Windows 10 Release Health status page (and also for Windows 11 and for Windows Server 2022). There, Microsoft confirms that it has received reports that handshake errors may occur after installing KB5018410 (for Windows 11 21H2) for some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections.
Advertising
For developers, there is an indication that the affected connections are likely sending multiple frames within a single input buffer, that is, one or more full records with a partial record that is less than 5 bytes, all sent in a single buffer. If this problem occurs, your application will receive SEC_E_ILLEGAL_MESSAGE if the connection fails.
The affected entry can be found for various Windows versions. Here is the list of updates for the affected Windows versions:
- KB5020387: Windows 11 21H2
- KB5020435: Windows 10 20H2 – 21H2
- KB5020438: Windows 10 Enterprise 2019 LTSC, Windows Server 2019
- KB5020436: Windows Server 2022
- KB5020447: Windows 8.1, Windows Server 2012 R2
- KB5020449: Windows Server 2012
- KB5020448: Windows 7 SP1, Windows Server 2008 R2
These special updates are only available for download in the Microsoft Update Catalog and must be installed manually (simply search for the KB numbers). Details about these updates can be found in the linked KB articles.
Similar article:
Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)
Windows 10: Beware of a possible TLS disaster on October 2022 patchday
Citrix connections broken after Windows update KB5018410 (October 2022) (TLS problem)
Bug: Outlook no longer connects to the mail server (October 2022)
WSUS chaos: Preview updates for Windows and Net withdrawn as superseded on 9/21/2022
Advertising
Does it fix the TLS 1.3 not working anymore on Windows 10 ?
Self-reply after tests : Schannel is working properly after having applied KB5020387 on a LTSC 2021 IoT Enterprise image (21H2), where Schannel was previously broken (on build 19044.2130, from October 11 2022)
We initially guessed that the IoT Enterprise SKU wasn't supporting TLS 1.3, but now we confirmed that we hit the bug mentioned in the post.
"Fun" fact : while it as initially reported that TLS 1.3 was available starting from Windows 10 1903, the Schannel documentation was changed recently, and now state that only Windows 11 and Server 2022 support TLS 1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl–schannel-ssp-
Thanks for your feedback and tests.
add more links to the following out-of-band updates, guenni:
KB5020439 for Win10 LTSB 2016 v1607
https://support.microsoft.com/help/5020439
KB5020440 for Win10 LTSB 2015 v1507
https://support.microsoft.com/help/5020440
both of these updates released Tue. 10/18
that now leaves only Win11 22H2 (build 2262x) without the SSL/TLS fixes
the SSL/TLS connection fix for Win11 22H2 will be included in the upcoming KB5018496 update, currently released for insiders in the release preview channel (build 22621.754):
https://blogs.windows.com/windows-insider/2022/10/19/releasing-windows-11-build-22621-754-to-the-release-preview-channel/
i need this fix for the dev build why they dont release that fix there ?
any solution for that ?