9

I am getting this error in my server's windows event log:

An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

When I try to connect to a web service on a windows 7 box from a windows server 2003 box.

How do I add a cipher suite to one that the other supports?

(fixing clients is ideal, but failing that a server solution is fine - I have access to all boxes involved, I just want some basic encryption between them for privacy).

Along with hours of googling and reading, I have tried:

  • Checked server windows event viewer (found cipher suite error)
  • Added cipher suites to test1 from http://support.microsoft.com/kb/948963 (didn't help)
  • Added TLS 1.0 to protocols in cipher suites in the server's windows registry (no change)
  • Install IIS tools hoping that adds more protocols to Schannel (it doesn't)
  • Export certificate for clients, again, but with private key included (no change)
  • Check that installed cipher suites match on server and client (can't find where win2k3 lists them)
  • Add TLS_RSA_WITH_AES_256_CBC_SHA (installed by above hotfix) to server's cipher suites (nope, already on there)
MGOwen
  • 307
  • 2
  • 4
  • 11
  • @sohnee http://serverfault.com/questions/166750/why-does-windows-ssl-cipher-suite-get-restricted-under-certain-ssl-certificates?rq=1 Garys answer on this question goes some way to answering this is detail. – Drifter104 Dec 11 '15 at 13:15
  • You probably already know this, but I'll post it anyway for those who might not be aware. [Windows 2003 is no longer supported by Microsoft](http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/) and will no longer receive updates. If you're using 2k3, you should migrate or upgrade. – Liczyrzepa Dec 17 '15 at 20:23
  • This problem is also visible on Server 2008 (and probably 2012 although I haven't got any SSL on 2012 here yet). – Fenton Dec 18 '15 at 16:30

2 Answers2

5

Windows 7 uses the new CNG (Cryptography Next Generation) API when choosing ciphers. CNG for Windows 2003 is not available as far as I know.

You can however, install these AES based cipher suites for use on Windows 2003:

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

These are the first suites Windows Vista and Windows 7 clients will try to negotiate for use with TLS 1.0 and above, and are also supported by OpenSSL clients.

In order to use these, install KB948963

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • 1
    Thanks! I should have mentioned that I already tried that - it didn't solve the problem for me. Maybe the other box still rejects them because CBC is no longer considered safe? They are in it's cipher suites list, though, so what else can I do? :( – MGOwen Jun 17 '13 at 13:37
  • Interesting how the community works. Now the top answer for this question is one that never worked, and the real answer is downvoted... I assume due to SHA1 being deprecated some years after this question was long forgotten. Hopefully this answer helps somebody - or no-one is forced to support win 2k3 servers anymore... – MGOwen Jan 09 '16 at 00:24
  • 1
    @MGOwen I'm sorry I wasn't able to help you. I've personally solved an issue similar to yours, with the hotfix I linked to. Hopefully, the upvotes reflect the number of people who found this answer useful – Mathias R. Jessen Jan 09 '16 at 00:46
-1

The solution was to generate my certificate again, this time forcing RSA and SHA1 (though SHA1 is the default anyway). For some reason Win Server 2k3 couldn't or wouldn't use the right ciphers with a default makecert certificate. Here is the command line that worked for me:

makecert -pe -r -ss my -sr localMachine -n "CN=domainnameoripaddressgoeshere.com" -e 01/01/2098 -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

For details see http://mgowen.com/2013/06/19/cipher-suites-issue/ and http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx .

MGOwen
  • 307
  • 2
  • 4
  • 11
  • 3
    sha1 is deprecated. I'm guessing the problem arose because all the ciphers supported by your 2003 client are deprecated due to security developments over the past couple of years. Your opening up those ciphers again is likely to be opening security holes. Note also that google will penalise you if you use SHA1 for a website cert. https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know – mc0e Dec 11 '15 at 15:12
  • 1
    The phrase "SHA1 should be the default anyway" is likely true in the context you were probably using, but as @mc0e said, it is deprecated due to security issues, and nowadays that phrase would send shivers down the spines of IT and security professionals. Make sure to use SHA-2 (SHA-256) whenever possible, as it is the standard now. – rubynorails Dec 12 '15 at 09:06
  • Thanks rubynorails. I've edited my answer, I meant that SHA1 was the default on makecert (in 2013 when I wrote that, not sure if there are newer versions of makecert for which this is no longer the case). I'll see if we still use SHA1 and consider seeing if it's worth trying to get makecert to use something else and do our certificates again (it's not for a public facing product). – MGOwen Jan 09 '16 at 00:21
  • For Server2003 SP2 to *accept* (verify) a SHA-256 certificate it requires *another* hotfix https://support.microsoft.com/en-us/kb/938397 . (XP SP2 also required this, but it got SP3 with the fix before support ended.) – dave_thompson_085 Jan 09 '16 at 04:46