Configuring cypher suites lead to website issues
At a customer we experienced critical application behaviour after applying the ssl cypher suite configuration as enforced and required from central security team. After applying these settings we have no longer been able to access a critical security application hosted on a Microsoft infrastructure in IIS web server.
- Operating System: Windows Server 2019 and older
- Browser: Edge, Chrome, Firefox
- Hardening Configuration: Various SSL / TLS protocol and cipher settings
After the hardening configuration is applied one cannot access a website using HTTPS hosted on a Windows Server 2019 with Chrome, Edge or Firefox.
Notable it works with Internet Explorer.
After some time of analysis it turn out that problem was the (reuqired) TLS 1.3 configuration – this was (as required) enabled on a Windows Server 2019 system with the following two registry keys:
"key": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server", "valueName": "Enabled", "valueType": "Dword", "valueData": 1
"key": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server", "valueName": "DisabledByDefault", "valueType": "Dword", "valueData": 0
As Windows Server 2019 (and below) do not support TLS 1.3 but the modern browsers do, the client and the server tried to communicate with TLS 1.3 which failed. Access to the website was no longer possible. This problem does not occur on Windows Server 2022 for example as on this operating system TLS 1.3 is supported.
Solution and shake down test
Remove above keys. After removal of the registry key website can be browsed again.
Microsoft documentation „Protocols in TLS/SSL – Schannel SSP“
Schlagwörter: SSL, TLS, TLS 1.3, Windows Server 2019, Edge, Chrome, Firefox, err_connection_reset, Schannel