Overview

At a customer we experienced critical application behaviour after applying the ssl cypher suite configuration as enforced and required from central security team. After applying these settings we have no longer been able to access a critical security application hosted on a Microsoft infrastructure in IIS web server.

System Overview

• Operating System: Windows Server 2019 and older
• Browser: Edge, Chrome, Firefox
• Hardening Configuration: Various SSL / TLS protocol and cipher settings

Problem

After the hardening configuration is applied one cannot access a website using HTTPS hosted on a Windows Server 2019 with Chrome, Edge or Firefox.

Notable it works with Internet Explorer.

Cause

After some time of analysis it turn out that problem was the (reuqired) TLS 1.3 configuration – this was (as required) enabled on a Windows Server 2019 system with the following two registry keys:

"key": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server",
"valueName": "Enabled",
"valueType": "Dword",
"valueData": 1

"key": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server",
"valueName": "DisabledByDefault",
"valueType": "Dword",
"valueData": 0

Our assumption

As Windows Server 2019 (and below) do not support TLS 1.3 but the modern browsers do, the client and the server tried to communicate with TLS 1.3 which failed. Access to the website was no longer possible. This problem does not occur on Windows Server 2022 for example as on this operating system TLS 1.3 is supported.

Solution and shake down test

Remove above keys. After removal of the registry key website can be browsed again.

References

Microsoft documentation „Protocols in TLS/SSL – Schannel SSP“

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl–schannel-ssp-

Schlagwörter: SSL, TLS, TLS 1.3, Windows Server 2019, Edge, Chrome, Firefox, err_connection_reset, Schannel