SSL Handshake error when use HTTPS

  • Article

 

Install the certificate and set up an Implement an SSL Web Site in IIS. We checked the system and found that the settings (i.e. SSL port), file permission (i.e. MachineKeys folder: KB278381) and certificate are all right.

Symptom:

Browse HTTPS in Internet Explorer and return error:

The page cannot be displayed.

Cannot find server or DNS error.

Troubleshooting:

By using SSL Diagnostics tool, it shows the error occur during SSL Handshake process, as below:

Connected

Handshake: 78 bytes sent

#WARNING:Handshake: unspecified error receiving data

#WARNING:Handshake: 0x80090304 (-2146893052) error

In network trace, it shows the server receive a Client Hello message from the client, but it does not respond to the message with a Server Hello that would contain the servers certificate and a list of ciphers that both the client and the server are prepared to use.

Check the registry key,

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

We found the protocols for secure channel to establish SSL connections have all been disabled, as below:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

 

Cause:

Need at least to have one protocol enabled so the channel can be established.

Solution:

1. Open “regedit”

2. Go to the key path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Delete the “Enabled” key under these 4 protocol folders. (PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0)

Here you need to check with your security administrator about which protocols should be use. You can either enable PCT 1.0 and SSL 2.0 protocols or SSL 3.0 and TLS 1.0 protocols, or all of them.

PCL 1.0 and SSL 2.0 protocols are weaker SSL ciphers, while SSL 3.0 and TLS 1.0 are newer and more secure protocols.

This change may impact client setting. For example, if you enable SSL 3.0 and TLS 1.0 protocols and you have clients that not configured to utilize SSL 3.0/TLS 1.0, connections from these clients will undoubtedly fail. In Internet Explorer, it should ideally be configured as shown below:

 

IE SSL Setting

4. Reboot machine for the change to take effect.

More Information:

How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

https://support.microsoft.com/kb/245030/

How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

https://support.microsoft.com/kb/187498/

Sincerely,

Anik Shen