3

I have a Windows Server 2012 R2 instance on Azure. For a new website I have ordered a certificate by GlobalSign. After getting the certificates from them I have completed the certificate request in IIS and installed the root certifcate.

I moved the website to a new instance, so I have exported the certificate with its private key and imported it on the new instance.

That was my installation and it seemed to work pretty well.

Now I am getting a lot SChannel errors. They are:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

It's the first time that I use SSL and to be honest, I have no idea what I am doing. For me it looks fine when I request the website (http://laola.biz).

I have already used the SSL Check by GlobalSign which gives me Grade C. https://sslcheck.globalsign.com/en_US/sslcheck?host=laola.biz#191.233.85.240-cert-ssl

Here a list of the certificates from mmc (my website is laola.biz):

Intermediate enter image description here

Root enter image description here

Personal enter image description here

Any ideas what I could have done wrong here?

tobi.at
  • 133
  • 1
  • 1
  • 5
  • 1
    I found the solution to my problem. I'm not sure if it may be related to yours. My IIS was using the certificate, so the initial GET request to the server worked fine. After, when I wanted to do a POST and the application had to sign something with the certificate, it was failing to get the certificate due to the application not having permissions to the certificate in the OS store. Hope this helps. – Origin May 29 '15 at 15:57
  • 2
    For the error: "Error Event ID 36888: "The following fatal alert was generated: 20. The internal error state is 960" You can check the resolution in the link below: https://blogs.technet.microsoft.com/keithab/2016/11/11/transport-layer-security-tls-handshake-failing-schannel-error-36888/ and/or https://port135.com/2018/11/20/windows-schannel-error-state-is-960/ – user513485 Mar 08 '19 at 12:43

1 Answers1

-1

As different people (well meaning and otherwise) attempt to access your site from various devices running various browsers on various operating systems, depending on the protocol they choose to secure that communication, you will end up seen messages by the schannel source.

The following blog should help you understand some of the messages you see in your logs. http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx

The grade you got there is a little concerning. You wouldn't have SSL3 enabled if you published the site to Azure Websites directly.

You can disable SSL3 using guidance here http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx

If you can move the site from a VM to an Azure Website itself that would be better. It will save you having to patch and secure the VM(s) used to host the web site. You instead rely on Azure PaaS to provide the platform to host the website. You take care of the web site code while Azure secures and maintains the IIS/platform.

The upcoming changes to the platform from TLS perspective are reflected in https://testsslclient.trafficmanager.net/. You can test this to see the grading your website can get if you were to migrate the site to an Azure website directly.

maweeras
  • 2,674
  • 2
  • 16
  • 23
  • adding a link to a video which shows end to end azure web sites creation with source control and continuous deployment. http://channel9.msdn.com/Shows/Azure-Friday/Vishal-and-Scott-create-a-new-startup-with-the-new-Azure-Portal – maweeras Jun 07 '15 at 10:00
  • Hi. Thanks for the links. Although the move to Azure Websites is not a solution. You just can't say I should move to a different server/architecture, because I've got a problem with the other one. I do have my reasons to use a VM. – tobi.at Jun 14 '15 at 09:11
  • That's why I said "if you can...". I didn't say solve it by moving to Azure web sites. In this case you need to investigate each schannel error and see if its a cause for concern. If you don't know enough about TLS/SSL errors, then you may consider opening a case with Microsoft. – maweeras Jun 15 '15 at 08:12
  • The URL for https://testsslclient.trafficmanager.net no longer works – JoshBerke Jul 28 '16 at 14:35
  • I dont make it a point to regularly go update my old posts. The info was correct at the time it was posted. – maweeras Jun 17 '20 at 07:22
  • yay someone gave a downvote with no details as to why. Super helpful! – maweeras Jun 17 '20 at 07:24