Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022

Update[German]As of October 17, 2022, Microsoft has released an unscheduled update KB5020387 for Windows 11 21H2. This update fixes a connection problem that can occur with SSL and TLS connections. All Windows client and server versions that are still in support are probably affected by this problem. The update also fixes a connection issue with Citrix clients that I just reported on.


Advertising

Since September 2022 I received reports about issues with SSL and TLS connections on Windows. I had warned about this potential issue in the blog post Windows 10: Beware of a possible TLS disaster on October 2022 patchday . There has been a user report, that the optional, cumulative (preview) update KB5017380 from September 2022 (Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)). There, TLS 1.0 and 1.1 are disabled for certain Windows versions.

My interpretation was, that this may be the root cause, but there seems to be another bug shipped with October 2022 security updates. I have had two blog posts about issues:

Citrix connections broken after Windows update KB5018410 (October 2022) (TLS problem)
Bug: Outlook no longer connects to the mail server (October 2022) 

And Microsoft has released accidential the September 2022 preview update to WSUS (see WSUS chaos: Preview updates for Windows and Net withdrawn as superseded on 9/21/2022). But I don't know, whether this has an effect on the current report. Nevertheless, German blog reader commented on my blog post Citrix-Verbindungen nach Windows-Update KB5018410 (Oktober 2022) gestört (TLS-Problem), that this issue has been fixed with the out-of-band Windows updates dates October 17, 2022.

Out-of-band fixes for SSL-/TLS connection issues

Then, as of October 17, 2022, Microsoft posted SSL/TLS handshake might fail in the "Known issues" section of the Windows 10 Release Health status page (and also for Windows 11 and for Windows Server 2022). There, Microsoft confirms that it has received reports that handshake errors may occur after installing KB5018410 (for Windows 11 21H2) for some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections.


Advertising

For developers, there is an indication that the affected connections are likely sending multiple frames within a single input buffer, that is, one or more full records with a partial record that is less than 5 bytes, all sent in a single buffer. If this problem occurs, your application will receive SEC_E_ILLEGAL_MESSAGE if the connection fails.

The affected entry can be found for various Windows versions. Here is the list of updates for the affected Windows versions:

These special updates are only available for download in the Microsoft Update Catalog  and must be installed manually (simply search for the KB numbers). Details about these updates can be found in the linked KB articles.

Similar article:
Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)
Windows 10: Beware of a possible TLS disaster on October 2022 patchday 
Citrix connections broken after Windows update KB5018410 (October 2022) (TLS problem)
Bug: Outlook no longer connects to the mail server (October 2022) 
WSUS chaos: Preview updates for Windows and Net withdrawn as superseded on 9/21/2022


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

6 Responses to Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022

  1. Harvester says:

    Does it fix the TLS 1.3 not working anymore on Windows 10 ?

  2. Harvester says:

    Self-reply after tests : Schannel is working properly after having applied KB5020387 on a LTSC 2021 IoT Enterprise image (21H2), where Schannel was previously broken (on build 19044.2130, from October 11 2022)

    We initially guessed that the IoT Enterprise SKU wasn't supporting TLS 1.3, but now we confirmed that we hit the bug mentioned in the post.

    "Fun" fact : while it as initially reported that TLS 1.3 was available starting from Windows 10 1903, the Schannel documentation was changed recently, and now state that only Windows 11 and Server 2022 support TLS 1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl–schannel-ssp-

  3. EP says:

    add more links to the following out-of-band updates, guenni:

    KB5020439 for Win10 LTSB 2016 v1607
    https://support.microsoft.com/help/5020439

    KB5020440 for Win10 LTSB 2015 v1507
    https://support.microsoft.com/help/5020440

    both of these updates released Tue. 10/18

    that now leaves only Win11 22H2 (build 2262x) without the SSL/TLS fixes

  4. Advertising

  5. scip says:

    i need this fix for the dev build why they dont release that fix there ?
    any solution for that ?

Leave a Reply to EP Cancel reply

Your email address will not be published. Required fields are marked *