We have talked about the TLS handshake, and how it can fail. We also marked that a lot of TLS failures had happened because Microsoft tried fixing something. A security updated CVE-2019-1318 has caused the recent one rolled for TLS and SSL. It has resulted in TLS connections intermittently failing or taking a long time and resulting in a timeout. In this post, we will share the workarounds for TLS Failures and Timeouts in Windows systems.
Following errors are common because of this ongoing problem:
- The request was aborted: Could not create SSL/TLS secure Channel
- Error 0x8009030f
- An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.?”
Which versions of Windows are affected with TLS Failures?
The vulnerability can give the attacker a chance to perform a man-in-the-middle attack. This was fixed by the update, and it resulted in TLS Failures, Timeouts in Windows systems.
Microsoft pointed out that it only happens when the devices are trying to make TLS connections to devices without support for the Extended Master Secret extension. If the devices have the supported version, then it doesn’t occur. Here is the list of Windows versions affected as of now:
- Windows 10 Version 1607
- Windows Server 2016
- Windows 10
- Windows 8.1
- Windows Server 2012 R2
- Windows Server 2012
- Windows 7 Service Pack 1
- Windows Server 2008 R2 Service Pack 1
- Windows Server 2008 Service Pack 2
List of Windows Updates are affected because of the security update
Any latest cumulative update (LCU) or Monthly Rollups released on October 8, 2019, or later for the affected platforms may experience this issue:
- KB4517389 LCU for Windows 10, version 1903.
- KB4519338 LCU for Windows 10, version 1809, and Windows Server 2019.
- KB4520008 LCU for Windows 10, version 1803.
- KB4520004 LCU for Windows 10, version 1709.
- KB4520010 LCU for Windows 10, version 1703.
- KB4519998 LCU for Windows 10, version 1607, and Windows Server 2016.
- KB4520011 LCU for Windows 10, version 1507.
- KB4520005 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
- KB4520007 Monthly Rollup for Windows Server 2012.
- KB4519976 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
- KB4520002 Monthly Rollup for Windows Server 2008 SP2
- KB4519990 Security-only update for Windows 8.1 and Windows Server 2012 R2.
- KB4519985 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
- KB4520003 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- KB4520009 Security-only update for Windows Server 2008 SP2
Workarounds for TLS Failures, Timeouts in Windows
According to Microsoft, there are three ways to fix TLS failures and timeouts.
- Enable EMS on both client and server
- Remove TLS_DHE_* cipher suites
- Enable/Disable EMS on Windows 10/Windows Server
Be aware that there are drawbacks to the workarounds, especially from the security perspective.
1] Enable EMS on both client and server
As we know that if both sides have EMS installed, then the issue doesn’t occur, so the solution is obvious. While EMS has been enabled by default for any release after October 8, 2019, if not, make sure to Enable support for Extend Master Secret (EMS) extension.
If you are an IT admin, make sure to support EMS resumption as defined by RFC 7627 fully.
2] Remove TLS_DHE_* cipher suites
If the operating system doesn’t support EMS, then the IT admin needs to remove TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. Complete documentation for Prioritizing Schannel Cipher Suites is available.
That said, these are a temporary fix, and disabling them only means you are inviting a man-in-the-middle-attack
3] Enable/Disable EMS on Windows 10/Windows Server
If, for any TLS issue, you had disabled EMS on your computer, then make use of the registry settings on both server and client to enable it.
- Open Registry Editor
- Navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel
- On TLS Server: DisableServerExtendedMasterSecret: 0
- On TLS Client: DisableClientExtendedMasterSecret: 0
If they are not available, you can create them.
I hope these workarounds were useful to fix the issue you are facing with TLS temporarily. Keep an eye on updates that will roll out to fix this problem.