We talked about the TLS handshakeand how that can fail. We also found that a large number of TLS failures had occurred because Microsoft had been trying to repair something. A security update CVE-2019-1318 caused the recent rollover for TLS and SSL. TLS connections intermittently failed or took a long time, which resulted in the timeout being exceeded. In this article, we will share workarounds for failures and TLS wait times in Windows systems.
The following errors are common because of this persistent problem:
- The request has been aborted: unable to create SSL / TLS secure channel
- Error 0x8009030f
- An error was logged in the system event log of SCHANNEL event 36887 with alert code 20 and the following description: "A fatal alert was received from the remote endpoint. The fatal alert code defined by the TLS protocol is 20.?
Which versions of Windows are affected by TLS failures?
Vulnerability can give the attacker a chance to lead an attack with a middle man. This problem was resolved by the update and resulted in TLS failures and delays in Windows systems.
Microsoft pointed out that this only happens when the devices try to establish TLS connections with devices without support for the Extended Master Secret extension. If the devices have the supported version, this does not happen. Here are the affected versions of Windows from now:
- Windows 10 version 1607
- Windows Server 2021
- Windows 10
- Windows 8.1
- Windows Server 2012 R2
- Windows Server 2012
- Windows 7 Service Pack 1
- Windows Server 2008 R2 Service Pack 1
- Windows Server 2008 Service Pack 2
The list of Windows updates is affected due to the security update.
This problem is as follows: all the latest cumulative updates (LCUs) or monthly accruals released on October 8, 2019 or later for the affected platforms
- KB4517389 LCU for Windows 10, version 1903.
- KB4519338 LCU for Windows 10, version 1809 and Windows Server 2021.
- KB4520008 LCU for Windows 10, version 1803.
- KB4520004 LCU for Windows 10, version 1709.
- KB4520010 LCU for Windows 10, version 1703.
- KB4519998 LCU for Windows 10, version 1607 and Windows Server 2021.
- KB4520011 LCU for Windows 10, version 1507.
- KB4520005 Monthly Accumulation for Windows 8.1 and Windows Server 2012 R2.
- KB4520007 Monthly Accumulation for Windows Server 2012.
- KB4519976 Cumulative monthly for Windows 7 SP1 and Windows Server 2008 R2 SP1.
- KB4520002 Monthly Accumulator for Windows Server 2008 SP2
- KB4519990 Security update only for Windows 8.1 and Windows Server 2012 R2.
- KB4519985 Security update only for Windows Server 2012 and Windows Embedded 8 Standard.
- KB4520003 Security Update Only for Windows 7 SP1 and Windows Server 2008 R2 SP1
- KB4520009 Security Update Only for Windows Server 2008 SP2
Workarounds for TLS failures and wait times in Windows
According to Microsoft, there is three ways to fix failures and delays TLS.
- Enable EMS on the client and the server
- Delete TLS_DHE_ * Encryption Suites
- Enable / Disable EMS on Windows 10 / Windows Server
Be aware that workarounds have drawbacks, especially from a security point of view.
1) Enable EMS on the client and the server
We know that if the EMS system is installed on both sides, the problem does not arise and the solution is obvious. If EMS has been enabled by default for any version after October 8, 2019, otherwise, be sure to Enable support for the Extend Master Secret (EMS) extension.
If you are an IT administrator, make sure to support EMS recovery as defined by RFC 7627 fully.
2) Delete the encryption suites TLS_DHE_ *
If the operating system does not support EMS, the IT administrator must remove the TLS_DHE_ * encryption suites from the list of TLS client device operating system encryption suites. Complete documentation for Prioritize Schannel Encryption Suites is available.
That said, this is a temporary fix, and disabling only means that you are inviting a man-in-the-middle attack.
3) Enable / Disable EMS on Windows 10 / Windows Server
If, for any TLS problem, you have disabled EMS on your computer, use the registry settings on the server and client to enable it.
- Open the registry editor
- Navigate to HKLM System CurrentControlSet Control SecurityProviders Schannel
- On the TLS server: DisableServerExtendedMasterSecret: 0
- On the TLS client: DisableClientExtendedMasterSecret: 0
If they are not available, you can create them.
I hope these workarounds have been helpful in temporarily solving the problem you are having with TLS. Keep an eye on the updates that will unfold to solve this problem.