Web Debug

Fix broken web applications, from servers to clients.

SSL Cipher-Suite get restricted under certain SSL certificates

Some times you will notice certain secure website cannot be viewed by windows xp client, but on windows vista or above it is working fine,

http://serverfault.com/questions/166750/why-does-windows-ssl-cipher-suite-get-restricted-under-certain-ssl-certificates

Problem:

Windows Server 2008 R2 will only support the following ssl cipher suites when using certain certificates on the server:

TLSECDHERSAWITHAES128CBCSHA
TLS
ECDHERSAWITHAES256CBCSHA


This prevents XP clients from connecting to the server since the XP Cryptographic API doesn't support any AES ciphers by default.
As a result, the following errors appear in the server logs when attempting to connect using internet explorer or remote desktop. (since they use microsoft's CAPI)

Schannel Error 36874 "An TLS 1.0 connection was recieved from a remote client application, but dodne of the cipher suites supported by the client are supported by the server. The SSL connection request has failed."
Schannel Error 36888 "The following fatal alert was generated: 40. The internal error state is 1204


 

<!--more-->

Root Cause:

If the certificate being used on the server was generated using the Legacy Key option in the certificate request form, the private key for that certificate will be stored in Microsoft's legacy Cryptographic API framework. When the web server tries to process requests using its new, Cryptographic Next Generation (CNG) framework, it appears that something related to the RSA private key stored in the legacy framework is unavailable to the new framework. As a result, the use of the RSA cipher suites is severely limited.

Solution:
Generate the certificate request using the CNG Key template in the custom certificate request wizard.

MMC | Local Computer Certificate Manager | Personal Certificates Folder | (right click) | All Tasks -> Advanced Operations | Create Custom Request | "Proceed without enrollment policy" | select "(no template) CNG key" | proceed to complete the certificate request according to your needs.


Verifying that the key is in the right place:
http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx
http://www.jensign.com/KeyPal/index.html

Tools for verifying correct cipher-suites:
http://pentestit.com/2010/05/16/ssltls-audit-audit-web-servers-ssl-ciphers/
https://www.ssllabs.com/

SSL cipher-suite settings:
http://support.microsoft.com/kb/245030
http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx

 

Fork me on GitHub