Bug with TLS 1.2 in Internet Explorer 11 / Windows 7?

tls protocols internet-explorer
25,966

Solution 1

We had some Windows 7 boxes that had the same behavior. It ended up that we needed to install MS14-066 to enable some additional ciphers. No idea why a patch from late 2014 wasn't installed already, but there you go.

Your mileage may vary.

Solution 2

Check whether you are using an MD5 certificate or not, since Internet Explorer 9/10/11 and Edge abort the connection if the server provides a certificate chain which uses MD5 algorithm, as mentioned at the end of this blog:

If the server negotiates a TLS1.2 connection with a Windows 7 or 8 schannel.dll-using client application, and it provides a certificate chain which uses the (weak) MD5 hash algorithm, the client will abort the connection (TCP/IP FIN) upon receipt of the certificate.

Searching with the keyword md5 tls1.2 reveals this blog post TLS 1.2 handshake failure which describes the same problem in more details. Basically, according to RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2, MD5 is no longer considered a secured hash function, so schannel.dll follows the RFC and reject MD5 certificate chain.

While I understand the rationale, it would have been easier to troubleshoot if the error message had been more specific. Therefore, I have filed an issue to the bug tracker.

Swapping in a SHA-2561 certificate should resolve the problem.

1 SHA-1 would also work, but it is no longer recommended

Share:
25,966

Related videos on Youtube

nhahtdh
Author by

nhahtdh

Expect theoretical answer. Comment is not answer. Proceed with care. Currently hammering everything with regex. 1 year on SO - that is how much time I have wasted. I took quite a lot from here, but the time lost also affected my life in various ways...

Updated on September 18, 2022

Comments

  • nhahtdh
    nhahtdh almost 2 years

    I am running some small websites which are served by Apache / Linux. Currently, I am trying to cut down the SSL configuration as far as possible to make it as secure as possible.

    I have configured Apache so that it only allows TLS 1.2 and only ciphers with DHE or ECDHE key exchange. Firefox and Chrome in the newest versions (as per the time of this writing) perfectly connect to the websites on this server.

    But Internet Explorer 11 (running under Windows 7 x64) in standard configuration is not able to connect to any of these websites. Wireshark captures show that the IE in its first client hello tries TLS 1.2, shows its ciphers to the server and so on, and that the server's answer is correct, including the cipher chosen.

    Then, seemingly for no reason, IE restarts and sends a new client hello, this time using TLS 1.0, which of course fails and makes IE think that it can't connect to the website.

    Could there be a bug in IE which makes it try the wrong protocol after the right protocol already has been successfully established? A bug which possibly only occurs if the server ONLY provides TLS 1.2 (which is probably quite uncommon)?

    • Steffen Ullrich
      Steffen Ullrich over 8 years
      It might be that your configuration IE remembers connectivity problems with your site and thus downgrades to TLS 1.0. But it is really hard to check without having something to reproduce, i.e. the URL. But you might check your site against SSLLabs which also shows if you should expect any problems with specific user agents.
    • Admin
      Admin over 8 years
      Steffen, thanks for bothering. I have corrected my problem description because I had a problem with the Wireshark logs, and the problem description was wrong therefore. I can't test the site because I am testing internally currently (private network) before changing any configuration on the public websites ...
    • Admin
      Admin over 8 years
      Steffen, I have cleared all caches and restarted IE a dozen of times without success ...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to switch between TLS 1.0 and SSL 3.0 at Java/JRE level?
Why is Internet Explorer 11 unable to connect to HTTPS sites when TLS 1.2 is enabled?
Flutter: protocols, do they exist?
Need to disable "open , save , save as prompt" while opening pdf in IE11
My jQuery is not working with IE11
HTML5 Video color difference Chrome & Internet Explorer
Internet explorer ignores flash mms.cfg settings
Javascript: Onclick event not working in IE
pointer-events: none not working in IE
<a> with an inner <span> not triggering :active state in IE 8