{"id":11704,"date":"2019-10-31T00:25:00","date_gmt":"2019-10-30T23:25:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=11704"},"modified":"2021-12-01T23:29:27","modified_gmt":"2021-12-01T22:29:27","slug":"windows-timeout-with-tls-connections-workaround","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/10\/31\/windows-timeout-with-tls-connections-workaround\/","title":{"rendered":"Windows: Timeout with TLS connections [Workaround]"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2013\/03\/winb.jpg\" width=\"58\" align=\"left\" height=\"58\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/10\/30\/windows-timeout-bei-tls-verbindungen-workaround\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Windows 7, Windows 8.1 and various Windows Server versions have timeouts in TLS connections after installing the latest October 2019 updates. Microsoft has confirmed these TLS timeouts in a support article. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/d01f22a4d9c74237ae2ae8c22a85fc7f\" width=\"1\" height=\"1\">A Microsoft support article <a href=\"https:\/\/support.microsoft.com\/help\/4528489\/\" target=\"_blank\" rel=\"noopener noreferrer\">4528489<\/a> (<em>Transport Layer Security (TLS) connections might intermittently fail or timeout when connecting<\/em>) contains the details.&nbsp; <\/p>\n<h2>The error description<\/h2>\n<p>When attempting to connect [to a server], Transport Layer Security (TLS) and Secure Sockets Layer (SSL) may fail temporarily or run on a timeout. One or more of the following errors will be displayed: <\/p>\n<ul>\n<li>\"The request was aborted: Could not create SSL\/TLS secure Channel\"<\/li>\n<li>Error 0x800903030f&nbsp; (SEC_E_MESSAGE_ALTERED)\n<li>An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\u200b\"<\/li>\n<\/ul>\n<p>The cause of this issue is that Microsoft closed the vulnerability <a href=\"https:\/\/web.archive.org\/web\/20200825131838\/https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2019-1318\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2019-1318<\/a> in Augst 2019 with an update. Now updates from October 2019 seems to cause the TLS timeouts. <\/p>\n<h2>Which Windows versions are affected?<\/h2>\n<p>Unfortunately, the fix was distributed through various updates to Windows 7, Windows 8.1, and various Windows Server versions that are still in support. Affected are the following Windows versions that have received cumulative updates and rollups as of October 8, 2019 (or later):<\/p>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4519998\" target=\"_blank\" rel=\"noopener noreferrer\">KB4519998<\/a> LCU for Windows Server, version 1607 and Windows Server 2016.\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4520005\" target=\"_blank\" rel=\"noopener noreferrer\">KB4520005<\/a> Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4520007\" target=\"_blank\" rel=\"noopener noreferrer\">KB4520007<\/a> Monthly Rollup for Windows Server 2012.\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4519976\" target=\"_blank\" rel=\"noopener noreferrer\">KB4519976<\/a> Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4520002\" target=\"_blank\" rel=\"noopener noreferrer\">KB4520002<\/a> Monthly Rollup for Windows Server 2008 SP2<\/li>\n<\/ul>\n<p>Also affected are systems that have received the following security-only updates dated October 8, 2019.<\/p>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4519990\" target=\"_blank\" rel=\"noopener noreferrer\">KB4519990<\/a> Security-only update for Windows 8.1 and Windows Server 2012 R2.\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4519985\" target=\"_blank\" rel=\"noopener noreferrer\">KB4519985<\/a> Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4520003\" target=\"_blank\" rel=\"noopener noreferrer\">KB4520003<\/a> Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1\n<li><a href=\"https:\/\/support.microsoft.com\/de-de\/help\/4520009\" target=\"_blank\" rel=\"noopener noreferrer\">KB4520009<\/a> Security-only update for Windows Server 2008 SP2<\/li>\n<\/ul>\n<p>Whoever has installed these updates on the machines and receives TLS errors should react and try the following workaround.<\/p>\n<h2>A workaround for the TLS problem<\/h2>\n<p>Microsoft states two workarounds in the support article, with which the TLS timeout problem can possibly be mitigated.<\/p>\n<ul>\n<li>Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operaing system. EMS as defined in <a href=\"https:\/\/tools.ietf.org\/html\/rfc7627\" target=\"_blank\" rel=\"noopener noreferrer\">RFC 7627<\/a>,&nbsp; was added to supported versions of Windows in the calendar year of 2015. Any update released on or after October 8, 2019 will have EMS enabled by default for <a href=\"https:\/\/web.archive.org\/web\/20200825131838\/https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2019-1318\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2019-1318<\/a>.<\/li>\n<li>Or: For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. For instructions on how to do this on Windows, see <a href=\"https:\/\/docs.microsoft.com\/windows\/win32\/secauthn\/prioritizing-schannel-cipher-suites\" target=\"_blank\" rel=\"noopener noreferrer\">Prioritizing Schannel Cipher Suites<\/a>.<\/li>\n<\/ul>\n<p>Microsoft does not recomend disabling EMS. If EMS was previoulsy explicitly disabled, it can be re-enabled by setting following registry key values:<\/p>\n<p>HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel&nbsp;&nbsp; <\/p>\n<p>On TLS Server: <em>DisableServerExtendedMasterSecret<\/em>: 0<br \/>On TLS Client: <em>DisableClientExtendedMasterSecret<\/em>: 0  <\/p>\n<p>Damit sollten die TLS-Verbindungsprobleme weg sein. (<a href=\"https:\/\/www.deskmodder.de\/blog\/2019\/10\/30\/tls-timeout-problem-unter-windows-7-8-1-sowie-windows-10-und-server-2016-1607-inklusive-workaround\/\" target=\"_blank\" rel=\"noopener noreferrer\">via<\/a>)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Windows 7, Windows 8.1 and various Windows Server versions have timeouts in TLS connections after installing the latest October 2019 updates. Microsoft has confirmed these TLS timeouts in a support article.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,2],"tags":[2164,195,194],"class_list":["post-11704","post","type-post","status-publish","format-standard","hentry","category-issue","category-windows","tag-isseu","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11704","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=11704"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11704\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=11704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=11704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=11704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}