2

Recently, my IIS 7.5 SSL site started refusing connections after a reboot. Oddly, the issue can be workaround by binding the site with a different cert and the switching back to the correct one.

When failing, wireshark shows the client send various SSL hello packets (TLS 1.0, 1.1, 1.2) and the server responds with a TCP RST. When working the client hello is virtually identical (same ciphers/compression/SNI.) Same behavior is displayed for IE and Chrome (contents are slightly different but instant RST is common) This indicates it is very likely something server side.

My only hint is random SChannel event ID 36870 "A fatal error occurred when attempting to access the SSL server credential private key. The error code reutrned from the cryptographic module is 0x8009030d. The internal error state is 1001." Checking my libraries 0x8009030d is "SEC_E_UNKNOWN_CREDENTIALS" and 1001 is likely MSG_FILE_NOT_FOUND.

Based on this I checked permissions on the Crypto/RSA folder per kb278381 and found them as expected. I forced inheritence on the underlying folders, but no change in behavior resulted.

Any clues on where to look next would be appreciated!

1 Answers1

0

I'd have guessed it was something resetting permissions on the folder you mentioned, most likely security policy via Group Policy. (Be suspicious of anything which is resetting folder permissions).

Also, just a thought - the location of the private keys has changed since CryptoAPI became Crypto Next Generation, so you might also want to check the ProgramData folders for permissions changes.

You can get at a cert's private key permissions directly through the cert MMC, so if you Manage Private Key permissions, a) you'll see the right key perms for sure*, and b) you might get a hint about what caused the issue.

*actual mileage may be larger in mirror

TristanK
  • 8,953
  • 2
  • 27
  • 39