Tag: ssl

“The page can’t be displayed” in web apps after installing June (or July) CU update for Windows 10

Some web apps might not work after installing the June (or July) 2016 Cumulative Update for Windows 10.

Problem

After installing June (KB3163018) or July (KB3172985) cumulative updates for Windows 10 a specific web app was broken, when browsing to it in Internet Explorer 11 or Edge lead to ”The page can’t be displayed”.

Investigation

Looking at the System log in Event Log showed Schannel errors:

A fatal alert was generated and sent to the remote endpoint. This may result in the termination of the connection. The TLS protocol defined fatal error code 40. The Windows SChannel error state is 808.

Doing a network trace showed that the web app server negotiated the TLSCipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.

Cause

Windows as of update https://support.microsoft.com/en-us/kb/3061518 no longer support ciphers with 512-bits. Note that this KB was released in May 2016 but not anywhere stated to affect Windows 10. Nothing related to these changes points to Windows 10, but as we can conclude, these changes are introduced with June 2016 CU for Windows 10 (and thereby carried forward to July CU and any other CU to come).

Workaround

Use the workaround described in the registry section workaround in https://support.microsoft.com/en-us/kb/3061518 to go back to the 512-bits settings.

Solution

Make necessary server configuration changes to support the better ciphers.

Solution to have multiple SSL sites on port 443 in IIS

Today I faced a problem where I had to put different sites in IIS on the same SSL port which by default is 443. As you might know you cannot set more than one web site to use port 443 in the GUI of IIS Manager, and you can neither specify different host headers there. However you can put more than one web site on the SSL port by using the command line script as stated below. Run it from C:\inetpub\adminscripts but before you do, find out what the identifier for the site you want to enable SSL for is by clicking on “Web sites” in IIS Manager.

cscript.exe adsutil.vbs set /w3svc/1/SecureBindings
":443:intranet.contoso.com"

Make sure that the above command is put and run on one line and you are done. Please note that if you do not have a wildcard certificate installed (*.contoso.com) you will receive certificate warnings for one of the sites, as the certificate name will not match the host name.